I created an SFTP-only user on Linux.

specification

--You can only operate under the document root. --The document root is / var / www / html.

--Login with password authentication. --Ssh is not available.

Create user

useradd sftp-user
passwd sftp-user
usermod -d / sftp-user
usermod -g apache sftp-user
chown sftp-user:apache /home/sftp-user

Point: Set the owning group to apache and set permission 775 to prevent apache permission error.

SFTP settings

vim /etc/ssh/sshd_config

Fixes

#PasswordAuthentication no //Comment out
#Subsystem sftp  /usr/libexec/openssh/sftp-server //Comment out
Subsystem sftp internal-sftp 
Match User sftp-user
ChrootDirectory /var/www/sftp
ForceCommand internal-sftp -u 0002 
PasswordAuthentication yes
Parameters Description
Match Specify the condition range by specifying user or group
ChrootDirectory Directory path to chroot
ForceCommand Forced command setting
PasswordAuthentication Whether to perform password authentication

Note: When sftp-user uploads a file by doing ForceCommand internal-sftp -u 0002 The group is authorized. If it is not set, it will be 755, but after setting it will be 775. (Allows writing by apache by granting permissions to the group.)

Reboot after correction.

systemctl restart sshd

Directory creation

Directory structure

The first thing to keep in mind is the permissions of the directory you specify for chroot

root: must have root permissions 755

about it.

Due to this restriction, the directory structure is as follows.

var  └ www ├ Document root └ Directory specified as chroot └ Directory for delegating authority (mounting document root)

Change document root permissions
chown sftp-user:apache /var/www/html/
chmod 775 /var/www/html/
Create a directory to chroot
mkdir /var/www/sftp
chown root:root /var/www/sftp/
chmod 755 /var/www/sftp/
Create a directory to transfer permissions
mkdir /var/www/sftp/sftp-user
chown sftp-user:apache /var/www/html/sftp-user
chmod 775 /var/www/html/sftp-user

If you do not create a directory for transferring permissions and place the document root directly under chroot, only the root user can operate it.

Mount the document root

mount -B /var/www/html /var/www/sftp/sftp-user
option Description
B Any directory can be mounted under another directory

Files and directories similar to the document root will be added under / var / www / sftp / sftp-user /. After uploading the files, they will be added to each other.

Server reboot measures

If you restart, it will be unmounted, so set it.

vim /etc/fstab

add to

/var/www/html /var/www/sftp/sftp-user          none    bind            0 0

An article that carefully describes fstab is here

that's all. Create an SFTP user if you don't want to be on the server.

Recommended Posts

I created an SFTP-only user on Linux.
I installed FreeCAD on Linux (Ubuntu) and created an icon
I get an ImportError on appengine_config.py
[Linux] I installed CentOS on VirtualBox
I installed Linux on my Mac
[MariaDB] Install MariaDB on Linux and create a DB and an operating user.
I tried to create an environment of MkDocs on Amazon Linux
Build an NFS server on Arch Linux
I created an Anaconda environment using Docker!
I want to use Linux on mac
Build an LNPP environment on Amazon Linux 2
Open a ZIP created on Windows in Linux
Linux user commands
[I'm an IT beginner] I tried my best to implement Linux on Windows
Set up an Objective-C 2.0 development environment on Linux
I want to log file I / O on Linux
Build an Arch Linux environment on Raspberry Pi
I read an introductory book on natural language processing
I want to develop an Android application on Android (debugging)
Create an environment for MkDocs on Amazon Linux (attempted)
I wrote an automatic installation script for Arch Linux
Compactly build an Oracle database (19c) on Linux on VirtualBox
Preparing to use Ansible on an existing Linux server
I want to use OpenJDK 11 on Ubuntu Linux 18.04 LTS / 18.10
I tried installing the Linux kernel on virtualbox + vagrant
Daemonizing processes on Linux
jblas on Arch Linux
Linux (WSL) on Windows
NAT router on Linux
Develop .NET on Linux
Wake on lan on Linux
Monitor traffic on Linux
I made an Ansible-installer
Update vscode on linux
Try NeosVR on Linux
Check capacity on Linux
[Linux] Change user password
LiveUSB creation on Linux
Linux operation on Win10
I made an anomaly detection model that works on iOS
How to create an ISO file (CD image) on Linux
I will publish a shell script created to reduce the trouble of creating LiveUSB on Linux