PDA

View Full Version : sftp for users



jcr1
19-12-2011, 06:42 AM
I'm trying to give users access to their own files on my server, without them being able to change any other users files.
I've come to a stop, because I can't connect with filezilla, if the AllowGroups and Match Groups are the same. If Match Group is shown as a different Group to the Group that contains the user I want to give access to, then it works. But that defeats the purpose as I can't then go on to lock that user down to be able to use his own files only.
If some one could enlighten me, that would be great.
Here is my sshd_config file;

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
#allow x11 connection forwarding = no

X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

#Subsystem sftp /usr/lib/openssh/sftp-server
# Use the following line to *replace* any existing 'Subsystem' line


AllowGroups root john mysftpusers
#AllowUsers root john roommate1 jdoe

GatewayPorts no

KeepAlive yes

UsePAM yes
PermitTunnel no
Subsystem sftp internal-sftp


# These lines must appear at the *end* of sshd_config*
Match Group mysftpusers
AllowTcpForwarding no
ChrootDirectory %h*
ForceCommand internal-sftp

jcr1
20-12-2011, 08:10 AM
Fixed it. Kev,
http://woodel.com/
got me a new sshd_config file and I started again.
Probably, as I chopped and changed, copied and pasted I'd left unseen stuff behind which stopped it from working properly.
Kev recommends getting into the habit of using notepad and then copying and pasting.
But it's fine now and any users I chose, can use space on my server without going near any of the important stuff.
I feel like I've achieved something here.