How to configure SFTP without ssh access

Sunday, 25 October 2009.

1. Update your server and install gcc

1
2

yum -y update
yum -y install gcc

2. Install and make zlib

3
4
5
6
7
8
9
10

cd /usr/src
mkdir -p /opt/zlib
mkdir zlib1.23
cd zlib1.23/
wget http://www.zlib.net/zlib123.zip
unzip zlib123.zip
make
make install prefix=/opt/zlib/

3. Install and make openssl

11
12
13
14
15
16
17
18
19
20

cd /usr/src
mkdir -p /opt/openssl
mkdir ssl.9.8
cd ssl.9.8/
wget http://www.openssl.org/source/openssl-0.9.8g.tar.gz
tar xvzf openssl-0.9.8g.tar.gz
cd openssl-0.9.8g
./config --prefix=/opt/openssl --openssldir=/opt/openssl
make
make install


4.Install and make openssh

21
22
23
24
25
26
27
28
29
30

cd /usr/src
mkdir -p /opt/openssh
mkdir openssh
cd openssh/
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.0p1.tar.gz
tar xvzf openssh-5.0p1.tar.gz
cd openssh-5.0p1
./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/X11R6/bin/xauth --with-zlib=/opt/zlib
make
make install

5. Adjust the startup script to reflect new openssh location. Replace the following lines.

31

vi /etc/init.d/sshd
KEYGEN=/opt/openssh/bin/ssh-keygen
SSHD=/opt/openssh/sbin/sshd
RSA1_KEY=/opt/openssh/etc/ssh_host_key
RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key

6. Restart ssh and make sure the new one answers

32
33
34
35
36
37

/etc/init.d/sshd restart
telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-2.0-OpenSSH_5.0

7. Adjust the ssh configuration script

Replace the line:
Subsystem sftp internal-sftp

38

vi /opt/openssh/etc/sshd_config

Add at the bottom the following lines:

Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no

8. Add new SFTP only group

39

/usr/sbin/groupadd sftponly

9. Create a SFTP only user and assign correct ownerships of the directories

40
41
42
43
44
45
46
47
48

/usr/sbin/useradd tuxoz
/usr/sbin/usermod -g sftponly tuxoz
/usr/sbin/usermod -s /bin/false tuxoz
/usr/sbin/usermod -d /home/tuxoz tuxoz
passwd tuxoz
chown root:root /home/tuxoz
chmod 755 /home/tuxoz
mkdir /home/tuxoz/public_html
chown tuxoz:sftponly /home/tuxoz/public_html

10. Restart ssh

49

/etc/init.d/sshd restart

Only the public_html folder is accesible by the user tuxoz trough sftp and no ssh access is granted.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WP Hashcash

Home

atPurpose.com

Contact Me
Copyright © 2009 tuxoz.com. All rights reserved.