I’d like to give temporary SFTP access to a support guy. How do I create an SFTP user? And how can I delete it once the job is done?
Also, how do I specify a home directory for them? Can I prevent them from accessing certain subdirectories within their home directory?
We use CentOS 6.3 and fzSftp
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Non-chroot access
If you don’t have a FTP server setup, and you trust the user that will be logging in, not to go poking around your server too much, I’d be inclined to give them an account to SFTP into the system instead.
The CentOS wiki maintains a simple howto titled: Simple SFTP setup that makes this pretty pain free.
I say it’s pain free because you literally just have to make the account and make sure that the firewall allows SSH traffic, make sure SSH the service is running, and you’re pretty much done.
If sshd isn’t already running:
$ /etc/init.d/sshd start
To add a user:
$ sudo useradd userX $ sudo passwd userX ... set the password ...
When you’re done with the account:
$ sudo userdel -r userX
Chroot access
If on the other hand you want to limit this user to a designated directory, the SFTP server included with SSH (openssh) provides a configuration that makes this easy to enable too. It’s a bit more work but not too much. The steps are covered here in this tutorial titled: How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH).
Make these changes to your /etc/ssh/sshd_config file.
Subsystem sftp internal-sftp ## You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp
Now you’ll need to make the chrooted directory tree where this user will get locked into.
$ sudo mkdir -p /sftp/userX/{incoming,outgoing}
$ sudo chown guestuser:sftpusers /sftp/guestuser/{incoming,outgoing}
Permissions should look like the following:
$ ls -ld /sftp/guestuser/{incoming,outgoing}
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/outgoing
The top level directories like this:
$ ls -ld /sftp /sftp/guestuser drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser
Don’t forget to restart the sshd server:
$ sudo service sshd restart
Now create the userX account:
$ sudo useradd -g sftpusers -d /incoming -s /sbin/nologin userX $ sudo passwd userX ... set password ...
You can check that the account was created correctly:
$ grep userX /etc/passwd userX:x:500:500::/incoming:/sbin/nologin
When you’re done with the account, delete it in the same way above:
$ sudo userdel -r userX
…and don’t forget to remove the configuration file changes we made above, then restart sshd to make them active once more.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0