SFTP - Limit users

1

I'm testing an SFTP server. In my sftp configuration, the line "Match Group sftponly" appears. That is, from what I understood only users who are from the 'sftponly' group could access SFTP. But I noticed something troubling. On the same server I have a user named 'john', created to access another service. That is, it is not from the 'sftponly' group. But if john opens Filezilla and tries to access SFTP, he succeeds even though he is not in the sftponly group. It's worse! I noticed that in Filezilla it has access (even if only read) to the whole system! Because it is not in the 'sftponly' group, it is not directed to the given folder in the sftp ChrootDirectory parameter. It simply drops into your HOME folder and from there you can exit it and see all other system folders. My question: Is it possible to limit SFTP only to users who are actually members of the sftponly group, but to allow john to continue accessing other services using the SSH protocol?

    
asked by anonymous 04.02.2018 / 13:57

1 answer

1

I was able to resolve:

1- All Git users should be in the 'git' group.

In / etc / passwd, leave the default git user prompt as / bin / bash same instead of / usr / bin / git-shell.

3- In the / etc / ssh / sshd_config file, just below the existing SFTP settings, create a new session, which will capture the entire stream of the git group:

Match Group git 
    ForceCommand /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

Once you have done this, the user will only be able to access your Git repository, but you will no longer have access to the SSH shell, SFTP, SCP, or any other SSH service.

    
07.02.2018 / 21:50