login about faq

Using Tectia Server 6.2, I would like to configure sftp so that a set of users would only be able to access a set of predetermined directories and nothing else.

How can I achieve this?

asked Sep 01 '11 at 16:58

Roman's gravatar image

Roman ♦♦
7735817


In SSH terms this is referred to as sftp chroot or sftp jail.

This can be achieved in Tectia Server by doing the following:

1 - First define a group of users that the sftp chroot will apply to.

In the example below I use the group selector to match all users that belong to the sftp-users group.

<group name="sftp-only">
  <selector>
    <user-group name="file-transfer-users" />
  </selector>
</group>

For clarification: file-transfer-users is a native operating system group and sftp-only is the name of a group that is defined here for the purpose of referring to it later within the config file.

2 - Define the services that are available for this group.

In this case allow only sftp and chroot to the following directory: /home/chrootdir

   <rule group="sftp-only">
      <subsystem type="sftp" application="sft-server-g3" action="allow" 
                                              chroot="/home/chrootdir">
         <attribute name="umask" value="0002" />
      </subsystem>
      <terminal action="deny" />
      <command action="deny" />
      <tunnel-local action="deny" />
      <tunnel-remote action="deny" />
    </rule>

That's it.

Here is the complete config file (Note that this is not a valid config file as only the elements relevant to this example are shown):

<secsh-server>
  <params>
   ...
  </params>
  <connections>
   ...
  </connections>
  <authentication-methods>
   ...
  </authentication-methods>

  <services>
    <!-- These users should only get sftp access -->
    <group name="sftp-only">
      <selector>
        <user-group name="file-transfer-users" />
      </selector>
    </group>
   <rule group="sftp-only">
      <subsystem type="sftp" application="sft-server-g3" action="allow" chroot="/home/chrootdir">
         <attribute name="umask" value="0002" />
      </subsystem>
      <terminal action="deny" />
      <command action="deny" />
      <tunnel-local action="deny" />
      <tunnel-remote action="deny" />
    </rule>

    <!-- This rule applies for all users that don't match any group -->
    <rule idle-timeout="0">
      <subsystem type="sftp" application="sft-server-g3" action="allow">
        <attribute name="home" value="%USERPROFILE%" />
      </subsystem>
      <command action="allow" />
      <tunnel-agent action="allow" />
      <tunnel-x11 action="allow" />
      <tunnel-local action="allow" />
      <tunnel-remote action="allow" />
    </rule>

  </services>

</secsh-server>
link

answered Sep 01 '11 at 17:26

Roman's gravatar image

Roman ♦♦
7735817

edited Oct 05 '11 at 11:52

One edit, the selector does not take "group" in 6.2, rather "user-group".

<group name="sftp-only">
  <selector>
    <user-group name="file-transfer-users" />
  </selector>
</group>
(Oct 05 '11 at 10:36) Samuel Samuel's gravatar image

Thanks, fixed it in the above answer now as well.

(Oct 05 '11 at 11:53) Roman ♦♦ Roman's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×6
×1

Asked: Sep 01 '11 at 16:58

Seen: 4,003 times

Last updated: Oct 05 '11 at 11:53

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.