Problems with SFTP

Well, I'm trying to provide SFTP access for another user, I'm following this guide http://library.linode.com/security/sftp-jails/

but something's just not working.

First of all I was geting this error:

"Directive 'UsePAM' is not allowed within a Match block" after trying to execute "/etc/init.d/ssh restart.

I found the solution with putting the Match block at the very end of the config file.

Second, this guide doesn't tell that I need to create a user and how, so I found that here http://library.linode.com/LikRHS

My problem now is this:

when I try to execute the last line of code:

chown username:username *

I get this error:

chown: invalid group: `username:username'

I need to make that a user that I created can go only to /srv/www/exaple.com

Please help, I'm stuck with this for 2 days now…

10 Replies

Ok, so I've found the solution, on that last line:

chown username:group *

should be, and not username:username *.

This way, I can log in to the site with SFTP, in the right place /srv/www/example.com, BUT user can see all files on the server.

How can I fix that last thing, so that user can see only his files in /srv/www/example.com ?

Look at this: http://library.linode.com/security/sftp-jails/

Thanks, but :)
@AndrijaM:

Well, I'm trying to provide SFTP access for another user, I'm following this guide http://library.linode.com/security/sftp-jails/

but something's just not working.
Thats what I'm refering to, but I can't get it to work. Anybody else, anything?

@AndrijaM:

Thanks, but :)
@AndrijaM:

Well, I'm trying to provide SFTP access for another user, I'm following this guide http://library.linode.com/security/sftp-jails/

but something's just not working.
Thats what I'm refering to, but I can't get it to work. Anybody else, anything?

Yes, sorry.

I've just tried that setup and it worked for me. I think your jail is not working at all.

Is /var/www/example.com HOME directory for that username? You can check it executing "env" from console with the username rights, and you will see one line "HOME=/your/home/path".

That HOME should be /var/www/example.com. If it isn't, you can edit your user with "usermod -d /var/www/example.com username".

Did you add your user to the 'filetranster' group (that you made for the match statement)?

@drpks:

Is /var/www/example.com HOME directory for that username? You can check it executing "env" from console with the username rights, and you will see one line "HOME=/your/home/path".

Can you tell me exactly what should I type for env command, what is the correct syntax?

If I type env username

I get no such file or directory

@drpks:

That HOME should be /var/www/example.com. If it isn't, you can edit your user with "usermod -d /var/www/example.com username".

When I try usermod -d /var/www/example.com username

I get usermod: no changes, I guess that means that's fine.

As I said, I'm able to login, but the user can see everything else on the server, he can browse to the top, he can't write anywhere else but in his directory example.com, but I need also that he can not see anything else but his own site.

Let's say your username is "john"

You have to be logged-in in a console as "john" and type "env" command. "env" shows users environment variables. Alternatively, you can type "echo $HOME". It should return "HOME=/var/www/example.com"

If it isn't, you must change it with "usermod -d /var/www/example.com john"(run as root).

I think you have set up in your SCP/FTP client the remote path to /var/www/example.com… that's why you can login.

well - it works now :)

have to say this manual http://library.linode.com/security/sftp-jails/ is not really for beginers, it assumes that you already know something.

And also, there is one big mistake, well I don't know if it's a mistake, but it did not worked for me:

the last line of code in manual:

*chown username:username **

is not working for me, I had to change it like this:

chown username:usergroup

and after that all works fine, user can log into his site-directory, and can not see other stuff on server.

@drpks

thanks :)

I assume you're not using a Debian-based distribution? They use a group scheme where each user gets a group of the same name as the username so technically it works as written.

Though using something like user:group would be more generic, and still applicable to Debian/Ubuntu (perhaps with a comment that the default group is typically the same as the user).

– David

Yes, I'm using Ubuntu, I guess thats what the problem was, it should be there in the manual, how am I supposed to know that?

I was thinking why is this command not working, and I tried username:usergroup and it worked, but I lost about a week on all this…

I will submit a comment there in the manual with link to this thread, I'm sure someone will need this sooner or later :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct