Home / ubuntu / Questions / 968976
Accepted
James Newton
Asked: 2017-10-26 01:14:59 +0800 CST

How to allow SSH only with RSA key, and SFTP with password and chroot?

  • 772

On my Ubuntu 16.04 LTS server, I would like to do the following things:

  • Enable a non-root admin user with sudo privileges to SSH in to the server using an RSA key (no password)
  • Enable selected non-admin users to upload files by SFTP to their own home directory, using a password to log in
  • Prevent the non-admin users from gaining access to the rest of the file system

I'm working with a freshly-installed version of Ubuntu 16.04.3 LTS, so everything is in its default factory condition.

I have read this question and the answers carefully, but I have not been able to find a solution.

I have created a nonrootadmin user with sudo privileges.

I have created a nonadminsftp user who is a member of the sftpaccess group. The /home/nonadminsftp/ directory looks like this:

$ ls -al ~nonadminsftp
total 24
drwxr-xr-x 3 root         root       4096 Oct 25 00:52 .
drwxr-xr-x 5 root         root       4096 Oct 24 22:29 ..
-rw-r--r-- 1 nonadminsftp sftpaccess  220 Sep  1  2015 .bash_logout
-rw-r--r-- 1 nonadminsftp sftpaccess 3771 Sep  1  2015 .bashrc
drwxr-xr-x 3 nonadminsftp sftpaccess 4096 Oct 25 00:50 ftp
-rw-r--r-- 1 nonadminsftp sftpaccess  655 May 16 13:49 .profile

Their respective entries in /etc/passwd are as follows:

nonrootadmin:x:1000:1000::/home/nonrootadmin:/bin/bash
nonadminsftp:x:1002:1002::/home/nonadminsftp:/usr/sbin/nologin

The changes I have made to the /etc/sshd/sshd_config file are as follows:

PermitRootLogin no
#PasswordAuthentication no

AllowUsers nonrootadmin nonadminsftp
Subsystem sftp internal-sftp
Match group sftpaccess
#ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
#ForceCommand internal-sftp

The solution that I have seen proposes uncommenting 3 of these lines, but I discover that:

  • PasswordAuthentication no prevents the nonadminsftp user from connecting with a password:

    $ sftp [email protected]
Permission denied (publickey).
Couldn't read packet: Connection reset by peer

  • ChrootDirectory %h prevents the nonrootadmin user from connecting at all:

    $ ssh [email protected]
packet_write_wait: Connection to 12.34.56.78 port 22: Broken pipe`

  • ForceCommand internal-sftp prevents the nonrootadmin from gaining SSH access:

    $ ssh [email protected]
This service allows sftp connections only.
Connection to mydomain.com closed.`

With these lines commented out:

  • nonrootadmin does have SSH access using an RSA key
  • nonadminsftp can connect using a FTP client such as FileZilla

BUT:

  • nonadminsftp is not chrooted to the /home/nonadminsftp directory
  • nonrootadmin can log in with a password

What is it that I am missing?

Thanks in advance

permissions

1 Answers

  1. Best Answer

    Thanks to @muru, the following configuration is now working:

    PermitRootLogin no
PasswordAuthentication no

AllowUsers nonrootadmin nonadminsftp
Subsystem sftp internal-sftp

Match group sftpaccess
# The following directives only apply to users in sftpaccess
PasswordAuthentication yes
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

    I had previously added nonrootadmin to the sftpaccess group. After I removed this user from the group...

    $ sudo gpasswd -d nonrootadmin sftpaccess
$ getent group ftpaccess
ftpaccess:x:1002:nonadminsftp

    ... nonrootadmin can now use SSH.

    • 2