FTP Transfer: Restricting WinSCP only to a particular folder

Dear all,

I am using WinSCP FTP tool to download files from the Linode.

It is the recommended FTP tool by Linode: http://library.linode.com/networking/fi … les-winscp">http://library.linode.com/networking/file-transfer/transfer-files-winscp

I am using a normal (non-root) unix user to log into the server to backup files on a regular basis. Once logged in, the WinSCP tool displays the whole file system.

How do I provide access only to a users home directory and restrict access to other files and directories.

Thanks,

Avinash

28 Replies

Thanks for sharing the link.

1) I am using CentOS 5.6-SP2. Will these changes work?

2) I actually tried and made the changes listed in the website. I am receiving an error when sshd is restarted.

Stopping sshd: [FAILED]

Starting sshd: /etc/ssh/sshd_config: line 120: Bad configuration option: Match

/etc/ssh/sshd_config: terminating, 1 bad configuration options

[FAILED]

@bozo:

Create SFTP Jails?

http://library.linode.com/security/sftp-jails

Post the contents of your sshd_config file, also run sshd -V it'll throw an error but it'll print the sshd version you have it could be centos 5 has an old version that doesn't support the match directive

sshd -v:

sshd -v

sshd: illegal option – v

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

/etc/sshd_config file:

PasswordAuthentication, PermitEmptyPasswords, and

"PermitRootLogin without-password". If you just want the PAM account and

session checks to run without PAM authentication, then enable this but set

ChallengeResponseAuthentication=no

UsePAM no

UsePAM yes

Accept locale-related environment variables

AcceptEnv LANG LCCTYPE LCNUMERIC LCTIME LCCOLLATE LCMONETARY LCMESSAGES

AcceptEnv LCPAPER LCNAME LCADDRESS LCTELEPHONE LC_MEASUREMENT

AcceptEnv LCIDENTIFICATION LCALL

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment no

Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

ShowPatchLevel no

UseDNS yes

PidFile /var/run/sshd.pid

MaxStartups 10

PermitTunnel no

ChrootDirectory none

no default banner path

Banner /some/path

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Match group filetransfer

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

@obs:

Post the contents of your sshd_config file, also run sshd -V it'll throw an error but it'll print the sshd version you have it could be centos 5 has an old version that doesn't support the match directive

@Avinash.Rao:

Subsystem sftp /usr/libexec/openssh/sftp-server

Match group filetransfer

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp
As defined in the tutorial you said you followed…
> Edit your /etc/ssh/sshd_config file, making sure the following line is present. If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following:

File excerpt:/etc/ssh/sshd_config

> Subsystem sftp internal-sftp
You didn't edit the Subsystem line. I would start by fixing that first and then making sure you followed the rest of the tutorial properly.

Good luck!

I have pasted the config file after reverting back to the original configuration.

I did change that to Subsystem sftp internal-sftp.

Regards..

@Typo:

@Avinash.Rao:

Subsystem sftp /usr/libexec/openssh/sftp-server

Match group filetransfer

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp
As defined in the tutorial you said you followed…
> Edit your /etc/ssh/sshd_config file, making sure the following line is present. If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following:

File excerpt:/etc/ssh/sshd_config

> Subsystem sftp internal-sftp
You didn't edit the Subsystem line. I would start by fixing that first and then making sure you followed the rest of the tutorial properly.

Good luck!

I also noticed conflicting entries, the 'X11Forwarding' value is set to yes in the beginning but at the end we are setting this to 'no'.

Aren't these conflicting?

@Avinash.Rao:

I also noticed conflicting entries, the 'X11Forwarding' value is set to yes in the beginning but at the end we are setting this to 'no'.

Aren't these conflicting?
No, the second one overrides the x11forwarding only for the group 'filetransfer'.

Edited: To make it easier to understand.

Ok, it looks like your sshd is outdated.

I'm sorry for not looking earlier at your answer when someone asked but when checking your reply to what version your running, its obvious yours is quite old.

Yours:
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
I am pretty sure that match support like your trying to use wasn't added until version 5+ so yours is too outdated to support this option.

I would try updating.

Should I upgrade openssh?

yum update openssh

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

  • base: mirror.sov.uk.goscomb.net

  • extras: mirror.sov.uk.goscomb.net

  • updates: mirrors.coreix.net

Setting up Update Process

Resolving Dependencies

–> Running transaction check

--> Processing Dependency: openssh = 4.3p2-72.el5_6.3 for package: openssh-clien ts

--> Processing Dependency: openssh = 4.3p2-72.el5_6.3 for package: openssh-serve r

---> Package openssh.x86_64 0:4.3p2-82.el5 set to be updated

--> Running transaction check

---> Package openssh-clients.x86_64 0:4.3p2-82.el5 set to be updated

---> Package openssh-server.x86_64 0:4.3p2-82.el5 set to be updated

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

Package Arch Version Repository Size

================================================================================

Updating:

openssh x86_64 4.3p2-82.el5 base 291 k

Updating for dependencies:

openssh-clients x86_64 4.3p2-82.el5 base 456 k

openssh-server x86_64 4.3p2-82.el5 base 280 k

Transaction Summary

================================================================================

Install 0 Package(s)

Upgrade 3 Package(s)

Total download size: 1.0 M

Is this ok [y/N]:

@Typo:

Ok, it looks like your sshd is outdated.

I'm sorry for not looking earlier at your answer when someone asked but when checking your reply to what version your running, its obvious yours is quite old.

Yours:
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
I am pretty sure that match support like your trying to use wasn't added until version 5+ so yours is too outdated to support this option.

I would try updating.

@Avinash.Rao:

Should I upgrade openssh?
Yes, but I'm not sure how repositories work with centos so you may not be updating to a new enough version so be sure to check what version it updates to when done.

Crossing my fingers for ya. :)

You are right, I finished the update and the version is the same!

sshd -v

sshd: illegal option – v

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

usage: sshd [-46Ddeiqt] [-b bits] [-f configfile] [-g logingrace_time]

[-h hostkeyfile] [-k keygentime] [-o option] [-p port] [-u len]

@Typo:

@Avinash.Rao:

Should I upgrade openssh?
Yes, but I'm not sure how repositories work with centos so you may not be updating to a new enough version so be sure to check what version it updates to when done.

Crossing my fingers for ya. :)

@Avinash.Rao:

You are right, I finished the update and the version is the same!
Ok, the following is from a random website but I updated the instructions for the latest version of openssh available (6.0).

> How to install openssh 5 on Centos 5

Execute this in shell

rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz.asc && wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import && gpg openssh-6.0p1.tar.gz.asc  && tar zxvf openssh-6.0p1.tar.gz && cp openssh-6.0p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p1.tar.gz /usr/src/redhat/SOURCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec  && rpmbuild -bb openssh.spec && cd /usr/src/redhat/RPMS/`uname -i` && uname -i && ls -l && rpm -Uvh openssh*rpm 

Confirm the installation

rpm -qa | grep ssh


I take no responsibility for how well the above works, I did not make it but found it from this site and did minor editing (5.6 to 6.0) for you.

Let me know how it goes.

p.s. There are other sites with info on building openssh for centos so if this fails, dont give up.

Here's what is happening when I execute the code:

rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget http://ftp.halifax.rwth-aachen.de/openb … 0p1.tar.gz">http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz && wget http://ftp.halifax.rwth-aachen.de/openb … tar.gz.asc">http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz.asc && wget -O- http://ftp.halifax.rwth-aachen.de/openb … PG-KEY.asc">http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import && gpg openssh-6.0p1.tar.gz.asc && tar zxvf openssh-6.0p1.tar.gz && cp openssh-6.0p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p1.tar.gz /usr/src/redhat/SOURCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -pe 's/^(%define no(gnome|x11)askpass)\s+0$/$1 1/' openssh.spec && rpmbuild -bb openssh.spec && cd /usr/src/redhat/RPMS/uname -i && uname -i && ls -l && rpm -Uvh openssh*rpm openssh-4.3p2-82.el56.0p1.tar.gz.asc && tar zxvf openssh-6.0p1.tar.gz && cp ope openssh-clients-4.3p2-82.el5enssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p openssh-server-4.3p2-82.el5URCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -p Loaded plugins: fastestmirror_askpass)\s+0$/$1 1/' openssh.spec && rpmbuild -bb Loading mirror speeds from cached hostfileuname -i` && uname -i && ls -l && rpm * base: mirror.sov.uk.goscomb.net

  • extras: mirror.sov.uk.goscomb.net

  • updates: mirrors.coreix.net

Setting up Install Process

Package gcc-4.1.2-52.el5.x86_64 already installed and latest version

Package automake-1.9.6-2.3.el5.noarch already installed and latest version

Package autoconf-2.59-12.noarch already installed and latest version

Package libtool-1.5.22-7.el54.x8664 already installed and latest version

Package 1:make-3.81-3.el5.x86_64 already installed and latest version

Package openssl-devel-0.9.8e-22.el58.1.x8664 already installed and latest version

Package openssl-devel-0.9.8e-22.el5_8.1.i386 already installed and latest version

Package pam-devel-0.99.6.2-6.el55.2.x8664 already installed and latest version

Package pam-devel-0.99.6.2-6.el5_5.2.i386 already installed and latest version

Package rpm-build-4.4.2.3-28.el58.x8664 already installed and latest version

Nothing to do

--2012-04-23 12:22:03-- http://ftp.halifax.rwth-aachen.de/openb … 0p1.tar.gz">http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz

Resolving ftp.halifax.rwth-aachen.de… 137.226.34.42

Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 1126034 (1.1M) [application/octet-stream]

Saving to: `openssh-6.0p1.tar.gz'

100%[==============================================================================================================================>] 1,126,034 4.58M/s in 0.2s

2012-04-23 12:22:03 (4.58 MB/s) - `openssh-6.0p1.tar.gz' saved [1126034/1126034]

–2012-04-23 12:22:04-- http://ftp.halifax.rwth-aachen.de/openb … tar.gz.asc">http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz.asc

Resolving ftp.halifax.rwth-aachen.de… 137.226.34.42

Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 188 [application/octet-stream]

Saving to: `openssh-6.0p1.tar.gz.asc'

100%[==============================================================================================================================>] 188 –.-K/s in 0s

2012-04-23 12:22:04 (8.08 MB/s) - `openssh-6.0p1.tar.gz.asc' saved [188/188]

-bash: gpg: command not found

–2012-04-23 12:22:04-- http://ftp.halifax.rwth-aachen.de/openb … PG-KEY.asc">http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc

Resolving ftp.halifax.rwth-aachen.de… 137.226.34.42

Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 1725 (1.7K) [application/octet-stream]

Saving to: `STDOUT'

0% [ ] 0 –.-K/s in 0s

Cannot write to `-' (Broken pipe).

[root@hostname ~]#

2) I also tried adding the mirror listed in http://mirror.neu.edu.cn/CentALT/readme.txt

rpm -ihv http://download.fedora.redhat.com/pub/e … noarch.rpm">http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm

Retrieving http://download.fedora.redhat.com/pub/e … noarch.rpm">http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm

error: skipping http://download.fedora.redhat.com/pub/e … noarch.rpm">http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm - transfer failed - Unknown or unexpected error

3) yum update

Finished Dependency Resolution

openssh-clients-5.8p2-16.el5.1.x86_64 from CentALT has depsolving problems

--> Missing Dependency: libedit.so.0()(64bit) is needed by package openssh-clients-5.8p2-16.el5.1.x86_64 (CentALT)

Error: Missing Dependency: libedit.so.0()(64bit) is needed by package openssh-clients-5.8p2-16.el5.1.x86_64 (CentALT)

You could try using --skip-broken to work around the problem

You could try running: package-cleanup --problems

package-cleanup --dupes

rpm -Va --nofiles --nodigest

The program package-cleanup is found in the yum-utils package.

@Typo:

@Avinash.Rao:

You are right, I finished the update and the version is the same!
Ok, the following is from a random website but I updated the instructions for the latest version of openssh available (6.0).

> How to install openssh 5 on Centos 5

Execute this in shell

rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz.asc && wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import && gpg openssh-6.0p1.tar.gz.asc  && tar zxvf openssh-6.0p1.tar.gz && cp openssh-6.0p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p1.tar.gz /usr/src/redhat/SOURCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec  && rpmbuild -bb openssh.spec && cd /usr/src/redhat/RPMS/`uname -i` && uname -i && ls -l && rpm -Uvh openssh*rpm 

Confirm the installation

rpm -qa | grep ssh


I take no responsibility for how well the above works, I did not make it but found it from this site and did minor editing (5.6 to 6.0) for you.

Let me know how it goes.

p.s. There are other sites with info on building openssh for centos so if this fails, dont give up.

@Avinash.Rao:

Here's what is happening when I execute the code:
Ok, try this tutorial but again, you may want to replace the 5.8(s) with 6.0 to get the latest version…

Good luck!

Thanks a lot..

I did everything that was listed the tutorial website.

The rpm build completed without any errors. Unfortunately, the version doesn't seem to change!

Last few lines of rpm build.

Processing files: openssh-6.0p1-1

Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.9920

  • umask 022

  • cd /usr/src/redhat/BUILD

  • cd openssh-6.0p1

  • DOCDIR=/var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1

  • export DOCDIR

  • rm -rf /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1

  • /bin/mkdir -p /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1

  • cp -pr CREDITS ChangeLog INSTALL LICENCE OVERVIEW README README.dns README.platform README.privsep README.tun PROTOCOL PROTOCOL.agent PROTOCOL.certkeys PROTOCOL.mux TODO /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1

  • exit 0

@Typo:

@Avinash.Rao:

Here's what is happening when I execute the code:
Ok, try this tutorial but again, you may want to replace the 5.8(s) with 6.0 to get the latest version…

Good luck!

@Avinash.Rao:

Thanks a lot..

I did everything that was listed the tutorial website.

The rpm build completed without any errors. Unfortunately, the version doesn't seem to change!
So the ssh -v shows same version? Did you remember to install the rpm's?
> Now if you go back into /usr/src/redhat/RPMS/ , you should see three RPMs. Go ahead and install them:

rpm -Uvh *.rpm

Yup!! Resolved!! Thank You so much for the support.

ssh restart successfully.

Can i configure this in such a way that the user should be able to ssh from a remote computer but also apply restriction in WinSCP?

@Typo:

@Avinash.Rao:

Thanks a lot..

I did everything that was listed the tutorial website.

The rpm build completed without any errors. Unfortunately, the version doesn't seem to change!
So the ssh -v shows same version? Did you remember to install the rpm's?
> Now if you go back into /usr/src/redhat/RPMS/ , you should see three RPMs. Go ahead and install them:

rpm -Uvh *.rpm

@Avinash.Rao:

Yup!! Resolved!! Thank You so much for the support.

ssh restart successfully.

Can i configure this in such a way that the user should be able to ssh from a remote computer but also apply restriction in WinSCP?
Glad you have it working :)

To be honest, I don't really understand your new question.

Adding users to 'filetransfer' group will prevent these users from being able to log into a remote shell session.

So its either only SFTP or SSH access, I want to be able to enable the same for a single user!

@Typo:

@Avinash.Rao:

Yup!! Resolved!! Thank You so much for the support.

ssh restart successfully.

Can i configure this in such a way that the user should be able to ssh from a remote computer but also apply restriction in WinSCP?
Glad you have it working :)

To be honest, I don't really understand your new question.

@Avinash.Rao:

Adding users to 'filetransfer' group will prevent these users from being able to log into a remote shell session.

So its either only SFTP or SSH access, I want to be able to enable the same for a single user!
Not sure off the top of my head but I can probably do some looking for you in a little bit but first thing you should re post your current sshd_config so we can make sure where you are config wise so whether its me or someone else who helps, we have all the proper info.

sshd_config

$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options change a

default value.

Port 22

Protocol 2,1

Protocol 2

AddressFamily any

ListenAddress 0.0.0.0

ListenAddress ::

HostKey for protocol version 1

HostKey /etc/ssh/sshhostkey

HostKeys for protocol version 2

HostKey /etc/ssh/sshhostrsa_key

HostKey /etc/ssh/sshhostdsa_key

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h

ServerKeyBits 768

Logging

obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

SyslogFacility AUTHPRIV

LogLevel INFO

Authentication:

LoginGraceTime 2m

PermitRootLogin no

StrictModes yes

MaxAuthTries 6

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/sshknownhosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no

Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

PasswordAuthentication yes

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

Kerberos options

KerberosAuthentication no

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

KerberosGetAFSToken no

GSSAPI options

GSSAPIAuthentication no

GSSAPIAuthentication yes

GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication mechanism.

Depending on your PAM configuration, this may bypass the setting of

PasswordAuthentication, PermitEmptyPasswords, and

"PermitRootLogin without-password". If you just want the PAM account and

session checks to run without PAM authentication, then enable this but set

ChallengeResponseAuthentication=no

UsePAM no

UsePAM yes

Accept locale-related environment variables

AcceptEnv LANG LCCTYPE LCNUMERIC LCTIME LCCOLLATE LCMONETARY LCMESSAGES

AcceptEnv LCPAPER LCNAME LCADDRESS LCTELEPHONE LC_MEASUREMENT

AcceptEnv LCIDENTIFICATION LCALL

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment no

Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

ShowPatchLevel no

UseDNS yes

PidFile /var/run/sshd.pid

MaxStartups 10

PermitTunnel no

ChrootDirectory none

no default banner path

Banner /some/path

override default of no subsystems

Subsystem sftp internal-sftp

Match group filetransfer

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

I have posted the sshd_config file.

The reason I am asking is I have a user who needs to use both ssh and SFTP.

@Typo:

@Avinash.Rao:

Adding users to 'filetransfer' group will prevent these users from being able to log into a remote shell session.

So its either only SFTP or SSH access, I want to be able to enable the same for a single user!
Not sure off the top of my head but I can probably do some looking for you in a little bit but first thing you should re post your current sshd_config so we can make sure where you are config wise so whether its me or someone else who helps, we have all the proper info.

Well, if they have shell access, they're going to be able to get at stuff outside of their home directory, so it's kinda pointless to restrict scp/sftp.

Yes, you are right. But, when he uses ssh, he will still login only to his home directory.

There is one user account used to configure SQL Databases and preform regular backups. These files need to be copied to an external machine using WinSCP. Both are required to be performed.

@hoopycat:

Well, if they have shell access, they're going to be able to get at stuff outside of their home directory, so it's kinda pointless to restrict scp/sftp.

Chrooting a shell is a whole different story to chrooting sftp, they need to actually have access to a shell and all the required libraries and binaries inside the chroot. Not sure how to do it on centos on debian/ubuntu I've done it using debootstrap but then again I've no idea how secure that is (I didn't do it for security reasons)

1) We are forcing users to use sftp through a normal user group settings. Making a user part of 'filetransfer' group and then using internal sftp. Is it possible that this group can be given permissions to SSHD?

2) I have upgraded sshd manually? Why isn't this possible through normal OS updates?

@Avinash.Rao:

1) We are forcing users to use sftp through a normal user group settings. Making a user part of 'filetransfer' group and then using internal sftp. Is it possible that this group can be given permissions to SSHD?

You can either force them to use sftp, or not force them to use sftp.

> 2) I have upgraded sshd manually? Why isn't this possible through normal OS updates?

It is, but once you choose a particular OS release, you normally get security updates and major bug fixes only. You've chosen CentOS, which is strongly based on RHEL, a distribution known for choosing long-term stability over all else. CentOS 5 gets you OpenSSH 4.3p2-82.el5, CentOS 6 gets you 5.3p1-70.el6, and that's what you're going to get.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct