Security :: Permission Configuration For SFTP User?
Jun 8, 2011
I've run into my first Linux/Unix roadblock and need support. I am creating a user strictly for SFTP and need them to login to a specific folder as well as set their navigate, write, and read permissions appropriatly but am having trouble. I was able to modify /etc/passwd to change their home location upon login but was warned that it was a bit dangerous to modify this file, even though my login test worked, and that I should look for an alternate solution in case shadow passwords were used. I'm reading up on chmod and understand the binary relationship but still can't seem to put the pieces together for each folder I'm working in. Below is what I need to satisfy: username for this test will be 'customer'
Example folder: /storage/company/files
1. User 'customer' needs to login to /storage/company/ by default.
2. User 'customer' needs browse, write, and read permissions to /storage/company/ and ALL files and subdirectories within this folder
3. User 'customer' must be UNABLE to navigate backwards toward folder root / or in general, navigate out of their primary home location.
created a user but i forgot to change the home directory permission.so after user created when i go to the user and group mangement i cant see that permission filed related to the home permission directory.my purpose is to stop accessing other user to my home directory,how it can be possible??
I'm trying to set up a Fedora 11 server so that users have only SFTP access. The relevant lines from my "/etc/ssh/sshd_config" are:
[Code]....
I can log in okay, I can type "cd /" and "cd upload", but when I try an "ls" command, I get: Couldn't get handle: Permission deniedand when I try to get the file "junk" (listed above), I get: Couldn't stat remote file: Permission deniedAnyone know what I'm doing wrong?
I would like to allow a user to login through SSH but with different permission coming from different ipaddress.
For example, a user "tester" login to SSH through 192.168.1.1 and another user login with the same login id "tester" but from different ip 192.168.1.2.
How do I restrict 192.168.1.2 to only allow for viewing the content in the home directory while giving 192.168.1.1 full access?
I would like to allow a user to login through SSH but with differentpermission coming from different ipaddress.For example, a user "tester" login to SSH through 192.168.1.1 andanother user login with the same login id "tester" but from differentip 192.168.1.2.How do I restrict 192.168.1.2 to only allow for viewing the content inthe home directory while giving 192.168.1.1 full access?I got a suggestion from some oneApproach 1) Based on the ip you change the shell. If it's just for read only ajail would be fine.but how do I change shell based on IP?Approach 2) to have two ssh instances. Let's say port 22 and port 24. Port 22 isfor read only, while port 24 is for full accessso how can it be possible to give port 22 only read only access to SSH
I have configured the sftp in ubuntu 9.10, I could able to connect through the port 22, but not connected to users home folder. where do I need to configure so that users can connect / restrict to only their folder
if lets say 'someuser' sftp's into the box what is he actually able to do?Looking at my tests he can browse any directory to which he has read permissions but is only able to delete files in /home/someuser, even if they are owned by root. On the other hand in any folder above /home/someuser he would NOT be unable to delete a file even if its chmoded 777. Can anyone please confirm these findings.
I just installed Wordpress and i am delighted of it, nice peace of software. Even so I have to get running a FTP or SFTP server on my localhost machine. I did installed in my Ubuntu 10.10 the VSFTPD server and generated a RSA certificate file (vsftpd.pem). Strange it is that there is no vsftpd folder under /etc, instead vsftpd.conf file is directly into /etc ... so I have generated also my .pem file into /etc. Anyway I have a lot of trouble adding new users to access this server. I use Filezilla as SFTP client. Please let me know if you encountered such an issue, and what is the solution for it. Downwards is my vsftpd.conf file.
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable.
Is it possible to limit each user so that only one can connect via each username for ssh/sftp? I work with a small company where there aren't really enough of us to justify using a revision control system, but we don't want to accidentally step on each other's toes, so we'd like to try simply preventing more than one person from accessing a given domain at once.
I've made an SSH server using OpenSSH on my desktop Ubuntu (10.4) for tunneling. However, I'm noticing that the public account I made for my SSH (one to give to friends to use proxy) has SFTP access to crucial system files. I'm okay with SFTP being enabled on my account, but not on this public account. Does anyone know of anyway to either disable SFTP to that user, or restrict access to important files?
I have tried, to set this up, but failed what kind of ftp would you guys recomend, as i have been having slight problems over recent days, with unknowns logging onto my annon ftp server, delt with mind.
I am thinking about a proper login even for the annon account, fairly easy to setup.
i want to allow some friends to ssh/sftp/scp into my system but i only want them to have access to my external hard drive (/media/externalHD/), and i dont want them to be able to delete or add anything, only download.i have found instructions on how to limit a user to his/her home directory and thought about just creating a user with the home directory /media/externalHD but idk if this will work and im afraid i might make a mistake and delete 800gb of 'files'
if i want user should`t have more than 20 sftp connections to a server,is there any way we can limit no.of connections to a particular user on the server using ssh configuration
I am using debian squeeze. I haven't changed much and I am a newb at this sorry. I can use the SFTP, but I can't use the FTP under any account. I can't find a conf file or anything for this.
I need to establish an FTP server- one with VSFTPD & one with sFTP having at least 300 users in both. My question is what minimum hardware configuration should I go for both to have excellent performance.
I'm trying to find a software which could map sftp/scp services to a windows drive letter. I know there are quite a bunch of those available, but i haven't found a single one which could run with SYSTEM or Netservice privileges or have decent command line options so i could elevate the program myself. The mapped drive should be available for other services running on the same server.
Most of the programs (sftp netdrive, expandrive, etc) have only option to startautomatically only when someone logs in. Because of that they are useless to me.Their inability to handle non-interactive starts is a bummer too. FTP->SFTP wrappers don't count as solution despite of integrated windows support for ftp drives. The way they are handled in windows makes ftp mapping unusable without some external ftp drive mapper software.
I'm trying to make it so that when a user logs in they are forced to stay within a certain directory structure. For some reason what I am doing is not working properly.Here are the relevant file informations:sshd_config:
This is my first thread ever to make on the linux forum, and I just began using linux Ubuntu Lucid for my server. Please bare with me because I think I am questioning such a basic question. How do you give sftp root privilege to user? I've made group "admin" and made 2 users under that group. Trying to upload a file onto a server using SFTP with one of the user and it fails and says "Permission denied."
I gave full sudo/root permission to the group "admin" from /usr/sbin/visudo I mainly use Tranmit4 but I also have filezilla. Or is there a way to run sudo command on either ftp client application?
I am using Mandriva 8 as my local server, i want to configure sftp sever by which particular user can access particular directory of our local server by using ftp client, can anyone tell me how can i do it?
On my Ubuntu 8.04.4 LTS webserver I desperately want to disable the Root account. But at the moment I am unable because I prefer to use Nautilus/Dolphin on my home laptop for SFTP. The graphical interface also helps when comparing multiple config files at once, something that being limited to NANO or PICO would make extremely painful. The problem is that if I don't use ROOT I can't perform any SSH or SFTP actions with a graphical interface, because I can't use SUDO without the terminal. Does anyone else leave root enabled? I have a non-standard port, disabled password authentication in favor of ssh keys, and I have a tarpit configured
allow sftp access to my Ubuntu system (happens to be desktop as it's also my main system) using accounts that are not able to login normally. (I have already managed to create such accounts.) These accounts need to be chrooted (also already accomplished with the openssh daemon settings.) Where I run into problems is that I want to give them (read only) access to files outside the chroot (on another partition in fact) and the matter if made more difficult because the directories to be shared are on NTFS-3G partitions (as they are a shared linux / windows storage drive). Is this possible and if so, what do I need to do?
Edit - Forgot to include versions Ubuntu 10.10 openssh 1.5.5p1-4ubuntu4 (the one that comes with 10.10)
I'm running an SFPT server which my clients logon to using an FTP client. at the moment each client has a user name and password.
Thus far to improve security I've disabled root login but an looking for futrhrt ways to protect it from attack, having researched using google some of the security features suggested prevent the FPT clients from connecting.
Questions: 1- what further things can i do to secure my server that still allows it to be usable for FTP clients? 2- specifically is it possible to use non login pre-share key authentication?
I tried changing the sftpserver port but its not working, besides how can i restrict users from particular ips.Eg: users a can ssh from 192.168.*.*user b can sftp from 200.*.*
If one uses a free ftp account to store private data such as bookmarks, they might prevent any eavesdropping by using ssh for the transfer (ftps), or alternatively sftp.
However, they would still have to trust the ftp hosting provider, because the data is stored unencrypted in the server.
Someone suggested putting all bookmarks in a small truecrypt volume instead and synchronizing this with the ftp server.
Performance issues aside, given that the plaintext only changes a little in each resync (only a bookmark is added usually), is the use of the truecrypt volume introducing a means for an eavesdropper to break the code?
