linux:nologin-scp-only

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
linux:nologin-scp-only [2017/08/28 15:37] – ↷ Page moved from knowhow:nologin-scp-only to linux:nologin-scp-only michaellinux:nologin-scp-only [2017/11/06 14:30] (current) michael
Line 1: Line 1:
 ====== User can only scp files with no shell access ====== ====== User can only scp files with no shell access ======
-''Ein lokaler User, soll sich legendlich auf dem Server in einem für ihn eingerichteten Ordner via SCP einloggen und dort seine files kopieren, löschen und verwalten können.''+''Ein lokaler User, soll sich legendlich auf dem Server in einem für ihn eingerichteten Ordner via SCP einloggen und dort seine files kopieren, löschen und verwalten können. <wrap em>(Er darf sich nicht auf eine Shell verbinden!)</wrap>''
  
 +<WRAP center box 100%>
 ===== Konfiguration ===== ===== Konfiguration =====
-  - Create a new user (sftptest) and make their shell /sbin/nologin: <code># useradd -s /sbin/nologin sftptest</code> +  - ''Create a new user (sftptest) and make their shell /sbin/nologin:'' <code># useradd -s /sbin/nologin sftptest</code> 
-  - Add a new group (sftponly) and add the user to that group: <code># groupadd sftponly+  - ''Add a new group (sftponly) and add the user to that group:'' <code># groupadd sftponly
 # usermod -g sftponly sftptest</code> # usermod -g sftponly sftptest</code>
-  - Change permissions of the users home dir to be as follows: <code># chown root:root /home/sftptest+  - ''Change permissions of the users home dir to be as follows:'' <code># chown root:root /home/sftptest
 # chmod 755 /home/sftptest </code> # chmod 755 /home/sftptest </code>
-  - Make a directory for the user (sftptest) to be able to scp to (a destination directory): <code># mkdir /home/sftptest/incoming+  - ''Make a directory for the user (sftptest) to be able to scp to (a destination directory):'' <code># mkdir /home/sftptest/incoming
 # chown sftptest:sftptest /home/sftptest/incoming </code> # chown sftptest:sftptest /home/sftptest/incoming </code>
-  - Set the password for the sftptest user. <code> # passwd sftptest </code> +  - ''Set the password for the sftptest user.'' <code> # passwd sftptest </code> 
-  - Add the following to /etc/ssh/sshd_config: <code> # vim /etc/ssh/sshd_config </code> <sxh bash; first-line: 1> Match group sftponly+  - ''Add the following to /etc/ssh/sshd_config:'' <code> # vim /etc/ssh/sshd_config </code> <sxh bash; first-line: 1> Match group sftponly
         ChrootDirectory %h         ChrootDirectory %h
         X11Forwarding no         X11Forwarding no
         AllowTcpForwarding no         AllowTcpForwarding no
-        ForceCommand internal-sftp </sxh> NOTE: The sshd stanza can be adjusted in three basic modes:+        ForceCommand internal-sftp </sxh> **NOTE**: The sshd stanza can be adjusted in three basic modes:
   * Using the **''%h''** directive to lock each user into their own home directory (see above example)   * Using the **''%h''** directive to lock each user into their own home directory (see above example)
   * Or using a single hardcoded directory name ->  ''ChrootDirectory /home/user/''   * Or using a single hardcoded directory name ->  ''ChrootDirectory /home/user/''
   * Keep in mind: There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group sftponly" with "Match user sftptest"   * Keep in mind: There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group sftponly" with "Match user sftptest"
 +</WRAP>
  
-<wrap em>After all changes, restart sshd</wrap>+<wrap em>After all changes, restart sshd!</wrap>
  
 <code> <code>
-service sshd restart+systemctl restart sshd
 </code> </code>
 +
  • linux/nologin-scp-only.1503927455.txt.gz
  • Last modified: 2017/08/28 15:37
  • by michael