Hi, my goal: sftp/scp only access, without the need for linux users. I want to provide 10 sftp/scp directories to 10 people. Let's call this "virtual account" I don't want to create linux users for each of them. I would like to create one linux user (backup_user). In his home-directory will be 10 directories. For each "virtual account" one directory. Every virtual account must only see his own files, not the files from an other virtual account. I would like to use the solution which is provided here: https://serverfault.com/a/88864/90324 In short there will be 10 lines in the authorized_keys file: |~backup_user/.ssh/authorized_keys: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command=\ "scp -v -r -d -t ~/CONTENT" ssh-rsa AAAAMYRSAKEY... | I could improve this by a python script and not use the hard coded "scp -v ...". I would like to support scp and sftp. Is there a way to chroot, to ensure each virtual account can't break out of his jail? BTW: The idea with authorized_keys and "forced command" is just my current strategy. If there is a better way to each the overall goal, then please tell me :-) We are running an OpenSSH server. I would like to stick to it, if possible. Just for the records, I asked the same question here: https://serverfault.com/questions/871517/ssh-forced-command-sftp-scp-only Regards, Thomas G?ttler
On Fri, Sep 1, 2017 at 5:11 AM, Thomas G?ttler Lists <guettliml at thomas-guettler.de> wrote:> Hi, > > > my goal: sftp/scp only access, without the need for linux users. > > I want to provide 10 sftp/scp directories to 10 people. Let's call this > "virtual account" > > I don't want to create linux users for each of them. > > I would like to create one linux user (backup_user). In his home-directory > will be 10 directories. For each "virtual account" one directory.Sounds like you want an old tool called "rssh", with chroot cages. Some of my tools to help set it up are at: * https://github.com/nkadel/rssh-chroot-tools However, if I may suggest? It sounds like you may be better with an "ftps" system, not an "sftp" system. Please look up "vsftpd" and how it can be configured this way, with a variety of authentication protocols to go with it.
Hi Nico and other ssh experts, Am 02.09.2017 um 06:46 schrieb Nico Kadel-Garcia:> On Fri, Sep 1, 2017 at 5:11 AM, Thomas G?ttler Lists > <guettliml at thomas-guettler.de> wrote: >> Hi, >> >> >> my goal: sftp/scp only access, without the need for linux users. >> >> I want to provide 10 sftp/scp directories to 10 people. Let's call this >> "virtual account" >> >> I don't want to create linux users for each of them. >> >> I would like to create one linux user (backup_user). In his home-directory >> will be 10 directories. For each "virtual account" one directory. > > Sounds like you want an old tool called "rssh", with chroot cages. > Some of my tools to help set it up are at: > > * https://github.com/nkadel/rssh-chroot-tools > > However, if I may suggest? It sounds like you may be better with an > "ftps" system, not an "sftp" system. Please look up "vsftpd" and how > it can be configured this way, with a variety of authentication > protocols to go with it.Yes, I think you are right. Maybe it I have less headache with ftps. Regards, Thomas G?ttler -- Thomas Guettler http://www.thomas-guettler.de/
Hi, thank you for your feedback. We now use a different solution. Since I could not find a generic http upload tool, I wrote one myself. It is available here: https://github.com/guettli/tbzuploader The API is very easy: If the sever replies with 201 (http status for created) then the upload is considered successful and the local files get moved to a "done directory". Feedback is welcome. Regards, Thomas G?ttler Am 02.09.2017 um 06:46 schrieb Nico Kadel-Garcia:> On Fri, Sep 1, 2017 at 5:11 AM, Thomas G?ttler Lists > <guettliml at thomas-guettler.de> wrote: >> Hi, >> >> >> my goal: sftp/scp only access, without the need for linux users. >> >> I want to provide 10 sftp/scp directories to 10 people. Let's call this >> "virtual account" >> >> I don't want to create linux users for each of them. >> >> I would like to create one linux user (backup_user). In his home-directory >> will be 10 directories. For each "virtual account" one directory. > > Sounds like you want an old tool called "rssh", with chroot cages. > Some of my tools to help set it up are at: > > * https://github.com/nkadel/rssh-chroot-tools > > However, if I may suggest? It sounds like you may be better with an > "ftps" system, not an "sftp" system. Please look up "vsftpd" and how > it can be configured this way, with a variety of authentication > protocols to go with it. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Thomas Guettler http://www.thomas-guettler.de/ I am looking for feedback: https://github.com/guettli/programming-guidelines