Setting up a user with only scp and sftp access

In the olden days one had to use packages such as scponly and rssh in order to restrict a user account to just being able to use scp and sftp.  Now that functionality is built into OpenSSH.  A client wanted me to setup such an account for 1 user on a system.  I modified sshd_config like this:

Match user username
  ChrootDirectory /home/%u
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no

Note that this only works in Ubuntu 8.10 and later and Debian 5.0 and later.  Also, be aware that the home directry has to be owned by root and not writable by the user for security reason.  So a directory inside the home directory will need to be created for the user to upload any files.

References:

  1. OpenSSH SFTP chroot() with ChrootDirectory
  2. Chroot users with OpenSSH: An easier way to confine users to their home directories

Chroot users with OpenSSH: An easier way to confine users to their home directories

Leave a Reply

Your email address will not be published. Required fields are marked *