Bob is the companies local Linux administrator. He has been tasked with creating a secure shared SFTP folder so members in the R&D department can securely collaborate on “The New Project”.
Bob immediately recognizes a potential difficulty. If Steve and John are working on a prototype, how will John be able to edit Steve’s file if the user permissions are set to only allow John to read?
Bob first goes to the break room to locate a coffee mug.
After consulting Google and the man pages for sftp, sftp-server, sshd_config, sshd he found out what he needed to do.
- Create directory for the share
- Create a user group
- Create the individual users and add them to the user group
- Modify the sshd_config
- Restart the SSHD service and verify that it works
Create Directory for SFTP Share Directory
First Bob needed a directory to hold the R&D files.
chown 755 /sftp/rdfiles
For some reason, he ran into issues with the folder getting set to the 775 permission which caused issues with logging in. Manually changing it to 755 fixed that issue.
Create User Group
Now Bob needs a user group to add everyone to.
sudo groupadd rdsftp
Now on to creating the users. Since we are just using the accounts for SFTP, we are setting the nologin option. None of these users will be able to use ssh to log on to the server.
sudo useradd -g rdsftp -s /sbin/nologin -M sftpadmin
Repeat for John, Steve, Jill, etc…
Use the sftpadmin user as an “admin” user and change the “home” directory permissions
chown -R adminuser:rdsftp /sftp/rdfiles
Modify sshd_config file
There are a couple things that need to be changed in the sshd_config file to make this all work.
sudo vi /etc/sshd_config
At the bottom of the file, Bob adds
# R&D SFTP share settings
Match Group rdsftp
ChrootDirectory /sftp/rdshare/ # <- chroots the users into this directory
ForceCommand internal-sftp -u 0002 # <- -u for umask. Needed so users have write permissions for all files
This will chroot all the users into the /sftp/rdshare directory which makes /sftp/rdshare the users / directory.
The -u umask option is the secret for getting all the users to manage all the files. Without it, John would not be able to update Steve’s inventory file.
Restart services and test
Now we can restart the ssh server
sudo systemctl resart sshd
And verify that john can log in.
Any existing sessions will need to be terminated for the changes to take effect.