Hosting for friend's website.
If he were to have access via something like FTP, perhaps like a regular web host, how should I do this?
Should I create a new user on my linode and have the user's home directory be where they host their site? Connecting via FTP?
I'm new to linode and am running Ubuntu 10.04 LTS.
12 Replies
@groffcole:
Should I create a new user on my linode and have the user's home directory be where they host their site?
Yes, that's exactly what you should do.
@groffcole:
Connecting via FTP?
You could do that with proftpd or vsftpd, but FTP is generally considered insecure because the username and password are transmitted in plain text. Instead, give your friend an SSH account that is jailed to his/her home directory. (Google for "ssh jail home directory".) SSH includes SFTP, which is much more secure than FTP and your friend can use it just like good old FTP .
And, before looking at this SSH jail stuff, I'm assuming this means that the user won't be able to go exploring around the system? It locks, or "jails," them to their home directory?
Thanks!
A couple other questions:
1) Is there a way to allow the user to set their own password?
2) Is there any software that would allow a user some sort of web interface for this sort of thing?
Hrmm…. now I cannot login to my linode.
Edit:
More info:
I have root ssh access turned off, I've turned of password authentication to use SSH keys instead. My user account, that I created and added to the sudoers file, is unable to login via a terminal at the moment. Also, I can't seem to login with the account I made for my friend (via sftp).
Is there something I did incorrect? I followed the Linode guide.
Thanks.
Can you login via lish?
Package generated configuration file
See the sshd_config(5) manpage for details
What ports, IPs and protocols we listen for
Port 22
Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/sshhostrsa_key
HostKey /etc/ssh/sshhostdsa_key
Privilege Separation is turned on for security
UsePrivilegeSeparation yes
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
For this to work you will also need host keys in /etc/sshknownhosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
IgnoreUserKnownHosts yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
PasswordAuthentication no
Kerberos options
KerberosAuthentication no
KerberosGetAFSToken no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
MaxStartups 10:30:60
Banner /etc/issue.net
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM ye
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Also, I seem to be having an issue restarting my ssh via /etc/init.d/ssh restart. This is the output when I run that command:
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service ssh restart
Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the restart(8) utility, e.g. restart ssh
ssh start/running, process 15959
When I run service ssh restart, I get this:
restart: Unknown instance:
ssh: connect to host colegroff.com port 22: Connection refused
"UsePAM ye "
This section said "ye" instead of "yes". So now I can login all right. I'm going to checkout the other issues later tonight.
@groffcole:
Thank you. The google search lead me right there.
A couple other questions:
1) Is there a way to allow the user to set their own password?
2) Is there any software that would allow a user some sort of web interface for this sort of thing?
Have a look at virtualmin GPL as I believe it may be what you're looking for and is free.
FWIW I'm running it and it works great on linode.