|
|
Again, for basic SFTP uploads and downloads, nothing in the default OpenSSH installation needs to be changed. It's already there, ready to be used.
Removing shell access while still allowing SFTP access is a simple as three steps, if OpenSSH server is already installed.
Create a user group, e.g. sftponlyAdd users to that groupAdd a corresponding Match directive to sshd's configuration in /etc/ssh/sshd_config: Subsystem sftp internal-sftp
Match Group sftponly
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Making a chroot jail of the SFTP users' home directories is also as easy to set up in OpenSSH.
Create a user group, e.g. sftponlyAdd users to that groupAdd a corresponding Match directive to sshd's configuration in /etc/ssh/sshd_config: Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
It's that easy.
The name "FTP" is often misused to mean file transfer using a special client. However, it is a specific protocol.
Plain FTP is insecure. The entire session, from username and password at the beginning, to data transfer at the end, is done without encryption. All accounts that use it can be considered compromised. It is the protocol itself that is insecure. FTP also requires adding and configuring special server software, whereas most servers usually have SSH, and thus SFTP, up and running.
FTP tunneled over SSL/TLS is FTPS. In contrast, SFTP is a new protocol designed from the ground up for secure file transfer. FTPS requires even more setup than FTP, whereas SFTP is running out of the box wherever there is an OpenSSH server.
Without extra effort, SFTP is already available wherever an OpenSSH server is running. With minimal changes, shell access can be turned off for SFTP users and even chrooted.
View the original article here
