Problem
Our company's websites are all located on a high performance web server, including several development and internal-only projects.
A handful of our sites are public sites that need regular back-end updates. These updates are made by a third-party contract SEO/design firm.
I need to setup a single FTP account that the 3rd party firm can use to access ONLY those sites via FTP (or ideally, SFTP) in order to modify files there. I do NOT want them to have any access whatsoever to the rest of our server or our other websites.
Example
To illustrate my situation, let's assume for a moment I have four websites configured as Virtual Hosts in Apache:
internalsite1.com
internalsite2.com
contentsite1.com
contentsite2.com
These exist on my server in the following locations:
/var/www/html/
/internalsite1.com
/internalsite2.com
/contentsite1.com
/contentsite2.com
Now, I need the "contentsite" hosts to allow access via an FTP account to modify files. The "internalsite" hosts should be accessible only by users who are logged in (i.e. through standard SSH).
** What I've Tried **
Earlier today, I experimented with modifying my SSH configuration to create chroot'ed users using the internal-sftp
and ChrootDirectory
features of OpenSSH. However, the configuration was getting very complicated and I cannot risk breaking SSH access to my server, so I backed away from that approach.
Currently, I'm trying to figure out how to use vsftpd
to achieve my goal; but so far I'm only able to setup a single account with access to a single directory. This would probably suffice, but vsftpd has dozens of options and no clear documentation on achieving this particular setup.
The Question
How can I enable a single ftp user account to acesss to multiple directory locations on the server, one representing each ?
Note: Links to clear tutorials are welcome.
EDIT: While I'd prefer them to login via SFTP, I'd settle for ordinary FTP access. I just need to create a single FTP Account on the server that has access to each of the three website locations in question.-
Here is a guide for installing and setting up
scponly
, a package that provides an alternate login shell. The basic idea is that you set the login shell of a user to/usr/bin/scponly
, and then that user can only use SFTP or SCP; he/she cannot get a command-line shell.The
scponly
package provides a chroot option as well, involving a second alternate login shell (/usr/sbin/scponlyc
), and a little extra setup. Be sure to read the entire forum thread there, as some additional tips are given by others in response to the main article.The guide is somewhat Ubuntu-specific, but it should work just as well with Debian, or any Debian-derived distro. If your Linux is none of these, you should still be able to download the source, compile it yourself, and then follow the steps outlined in the guide.
Consider chroot'ing the users. Here's a guide for Ubuntu but should be adaptable.
http://ubuntuforums.org/showthread.php?t=858475