HowTo: Setup an account to have SFTP access but not SSH access

Image may be NSFW.
Clik here to view.For those of us who like to outsource work, there comes a time where your developer needs access to your server to upload files, but you don’t want them to have shell access to execute commands.

You are probably also wanting to prevent them from seeing your other data on the server too, so we need to prevent them from being able to go outside of their Home folder. This process is called “chroot jailing” them to a specific folder.

Here is how you setup an Ubuntu 16.04 server to do just that.

Pre-requisites:

• You already have an Ubuntu Server setup.
• You already have the OpenSSH server daemon installed (I’ll assume you have the default setup from the openssh-server package).

For the purposes of this article, the developer we’re giving access to will be called “webdev” and he will be uploading all his data to “/home/webdev/public_html” on your server (if you have Apache setup on your server with the “userdir” mod enabled, this will allow your web developer to test the code changes he does to your site by adding “/~webdev” to the end of the server URL, eg: http://mytestwebserver.company.com/~webdev).

OK, let’s do this:

1. Login to your Ubuntu Server as an admin or sudo-enabled account.
   .
2. Now type in the following and hit Enter. This will bring up the SSH Daemon config file into a text editor:

   $ sudo nano /etc/ssh/sshd_config

   NOTE: Make sure you edit the sshd_config file, NOT the ssh_config file!

3. Scroll to the bottom of the file where you should see the following line near the end:

   Subsystem sftp /usr/lib/openssh/sftp-server

4. Comment that line out by putting a dash symbol in front of it.

   #Subsystem sftp /usr/lib/openssh/sftp-server

5. Now scroll down to the very last line in the file and add the following new lines to it:

   Subsystem sftp internal-sftp
   Match Group alldevs
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /home/%u
    ForceCommand internal-sftp

6. Save your changes by pressing CTRL+X, then Y and then Enter.
   .
   What we have just done is change how SFTP connections are handled. Simply put, any account that is part of a (yet to be created) group call “alldevs” will be chrooted to a predefined folder, in this case “/home/LOGINNAME”. They will not be able to navigate outside of that folder.
   .
7. Restart the SSH daemon to use our new config using the following command:

   $ sudo service ssh restart

   OR

   $ sudo systemctl restart ssh

8. So now that SSH is ready, let’s create the group that we specified in the SSH daemon’s configuration to govern SFTP access for members of that group:

   $ sudo addgroup alldevs

9. Now let’s create the developer’s access account as follows:

   $ sudo useradd webdev

   (This will also create his Home folder)

10. Now let’s modify that user so he cannot login via SSH:

    $ sudo usermod webdev -s /usr/sbin/nologin

11. And now let’s put the new account into the new “alldevs” group:

    $ sudo usermod -G alldevs webdev

12. Now let’s create the “public_html” folder in webdev’s Home folder where data will be copied and edited by the developer:

    $ sudo mkdir /home/webdev/public_html

13. The account needs to be restricted to the Home folder, so to prevent any changes to the Home folder root, we will secure it and only make the “public_html” folder writable by the user:

    $ sudo chown -R root:root /home/webdev
    $ sudo chown -R webdev:alldevs /home/webdev/public_html

14. That’s basically it. We’re now ready to test. Let’s try to login via SSH as the new account from a different terminal. It should get denied:

    $ ssh webdev@mytestwebserver.mycompany.com
    webdev@mytestwebserver.mycompany.com's password: 
    This service allows sftp connections only.
    Connection to mytestwebserver.mycompany.com closed.
    $

15. Excellent. SSH is not allowed. So let’s test SFTP access now:

    $ sftp webdev@mytestwebserver.mycompany.com
    webdev@mytestwebserver.mycompany.com's password: 
    Connected to mytestwebserver.mycompany.com.
    sftp> pwd
    Remote working directory: /
    sftp> ls
    public_html 
    sftp>

16. And we are in. You will notice that the working directory is “root”. That is, the root of the chroot jail for that account (which is “/home/webdev” on the server’s filesystem, not actual “/” ) and that when I do a folder listing, I can only see the “public_html” folder we created. You will also find that you can only create, delete, edit and upload files into the “public_html” folder and not outside of it.
    .
17. Pat yourself on the back. You account is now ready for your outsourced developer to start using.

If you have multiple developers doing work for you, you can create additional accounts such as “myotherdev” and “thatdev” etc, from Step 9 and have them all jailed to their own folders. As long as their shell access is set to “nologin” and they are part of the “alldevs” group, they will be kept locked down.

(12)