SFTP User creation in Redhat Linux/UNIX

taherahmed · October 29, 2015, 12:59am

SFTP user creation step�
  
  Create a group
  # groupadd  sftp_users
  
  If the users doesn�t exist on system , use below command :
# useradd  -G sftp_users  -s /sbin/nologin  username
# passwd username


  For already existing users , use below usermod command :
# usermod �G sftp_users  -s /sbin/nologin  username

  # vi /etc/ssh/sshd_config

#comment out the below line and add a line like below
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

  # add Below lines  at the end of file
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
  
  
  Restart the ssh service
# service sshd restart

For Solaris 10

In your sshd_config file- make below changes
vi /etc/ssh/sshd_config
  
Match User user 
ChrootDirectory /home/user 
ForceCommand internal-sftp 
AllowTcpForwarding no 
  Esc :wq

Then run:- 
chsh -s /bin/false user 
chown root:root /home/user 
mkdir /home/user/uploads 
chown user /home/user/uploads   

Restart ssh

svcadm disable /network/ssh:default
svcadm enable /network/ssh:default

The user will only be able to write in /home/user/uploads.

taherahmed · November 19, 2015, 3:12am

1) Download and install OpenSSH for Solaris 10/SPARC and all dependencies(Please read the 404 Not Found note):

 - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssh-5.6p1-sol10-sparc-local.gz]openssh-5.6p1-sol10-sparc-local.gz
 - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-1.0.0a-sol10-sparc-local.gz]openssl-1.0.0a-sol10-sparc-local.gz
 - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/zlib-1.2.5-sol10-sparc-local.gz]zlib-1.2.5-sol10-sparc-local.gz
 - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/libgcc-3.4.6-sol10-sparc-local.gz]ibgcc-3.4.6-sol10-sparc-local.gz

2) Configure <tt>/usr/local/etc/sshd_config</tt> file with the "+<tt>ChrootDirectory</tt>+" directive. For me:
[...]

# override default of no subsystems
#Subsystem sftp /usr/local/libexec/sftp-server
Subsystem sftp internal-sftp

[...]

# Example of overriding settings on a per-user basis
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

3) Create group and user for sftp-only account. For me:

root@taurus # groupadd sftponly
root@taurus # grep sftponly /etc/group
sftponly::202:
root@taurus # useradd -g sftponly -c "Sftp only user" -d /export/home/explorer -s /bin/false -m explorer
explorer:x:1002:202:Sftp only user:/export/home/explorer:/bin/false
root@taurus # passwd explorer
New Password:
Re-enter new Password:
passwd: password successfully changed for explorer
root@taurus #

4) Change home directory permission and create a r/w direcorty (uploads) for sftponly user account.

root@taurus # cd /export/home
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-xr-x 3 explorer sftponly 3 Oct 29 15:41 explorer
root@taurus # chown root:sftponly explorer; chmod 750 explorer
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 explorer
root@taurus #

This will make a read-only, chrooted directory perfect for people to come in and get stuff, but never write.
For example, you could make a directory explorer/uploads that allow people to write in.Then you can moderate what gets copied into the read-only /explorer area. Remember that if a user can write in a directory then they can also delete anything in that directory.

root@taurus # cd explorer
root@taurus # mkdir uploads && chown -R explorer:sftponly uploads && chmod 0755 uploads
root@taurus # ls -al
total 9
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 .
drwxr-xr-x 4 root root 4 Oct 29 15:28 ..
drwxr-xr-x 2 explorer sftponly 2 Oct 29 15:56 uploads
root@taurus #

5) Disable SunSSH "service" and enable OpenSSH "service" (with SMF):

root@taurus # svcadm disable ssh

See [url http://www.sunfreeware.com/sshsol10.html]here for Running openssh vis SMF on Solaris 10 Systems

root@taurus # svcadm disable ossh
root@taurus # svcs -a | grep ssh
disabled 12:37:51 svc:/network/ssh:default
online 15:29:41 svc:/network/ossh:default
root@taurus #

6) Test your job

Helpful links:

http://www.sunfreeware.com

http://calomel.org/sftp_chroot.html

(Courtesy: OTN )