June 11, 2004

“SFTP only” accounts

[Updated: see http://www.codefu.org/weblogs/darkness/archives/000165.html#000165 for an update on this entry.]

Here’s my recipe for SFTP only accounts. I haven’t actually tested this.

Make the user. Generate a key for them. Copy their public key to authorized_keys. Slap something like command="/usr/libexec/openssh/chroot-sftp-server",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding to the beginning of the first line. chown their home directory and everything in it to root (or some other user they don’t have access to). This is necessary so they can’t write to things like .ssh/authorized_keys, .bashrc, etc. Make sure that the home directory and all important files (including .ssh/authorized_keys) is readable by the user and not just root. Set the user’s shell to /usr/libexec/openssh/chroot-sftp-server. (I don’t recommend adding this to /etc/shells as I don’t think it’s necessary.) But wait, you don’t have this file, do you? Check out http://chrootssh.sourceforge.net/ or maybe http://mail.incredimail.com/howto/openssh/addons/. Just build a separate SFTP server. I suspect you’ll also need to modify something in sshd_config to make everyone use this new SFTP server, but maybe not; setting command=... in the key might be enough to do it. Using the patch from the second link above I believe you could set the user’s home directory to /some/path/./theroot and they’d get chrooted into /some/path/theroot. (This is similar to the method wu-ftpd uses, IIRC.) Now distribute the SSH private key to everyone that needs access to the account. No password necessary, and I’d probably avoid setting one. Also, I note the second patch above uses the HOME environment variable which is probably a mistake. It would be trivial to use getpwuid to get the home directory.

A few more links I had open: