Hey Folks, I am back. I’ve been busy with client commitments, so didn’t have much time (not that I have a lot now, so let’s get straight to the point).
As a developer, some day or another, you will or already have come across a situation where a client has asked you for FTP access of your development site/server. The reason could be any… I’ve had some clients tell me:
- I want to check the quality of your code…. okay
- I want to add a new plugin…. ummm….. fine
- I want to add some functionality developed by another vendor…. oookkaayy
- I want to edit the code in some plugin….. oh…ok (panic mode on!)
Whatever the reason might be, you will have to grant access. But if you host all development sites on a single server, then you would be keen towards giving your client restrictive access to the server. This would mean the client would have access only to the directory allotted to him.
Since SFTP is secure than FTP, we always prefer the SFTP setup rather than FTP setup. (If you are new to SFTP, you can read about the key difference between FTP and SFTP. Others, read on.)
Restrictive SFTP User
Please note, the below process is applicable to Ubuntu, and I assume you have already created the site 😀
Let’s assume the root directory of your site is /home/yoursite.com. So when running the below commands, change /home/yoursite.com to your site’s root directory.
Create a New User
Now, lets create a new user named ‘client_user’ and assign that user /home/yoursite.com directory as a home directory. Fire up your terminal to connect to your server. Once you are connected, below command can be used to create a user. Make sure you replace client_user with the username you prefer and /home/yoursite.com with the directory you want to assign to that user.
sudo useradd -d /home/yoursite.com client_user
(Interested in reading about other options which can be passed to useradd? If yes, then you can read through these examples.)
Set a Password
Once the user is created, we need to set a password. To set a password for that user, execute the below command
sudo passwd client_user
We are ready with the new user now. Its time to make some changes in our SSH configuration.
Restrict Access
Open the /etc/ssh/sshd_config file and append the below given code. (Remember to replace client_user with username you have created)
subsystem sftp internal-sftp Match User client_user ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
%h stands for home directory.
After doing the above changes, save the file and restart the SSH service. To restart SSH service, execute
sudo service ssh restart
[space]
Done! Now try logging into the system with the new user’s credentials, and check if everything is working correctly.
One last tip: For those of you who get a ‘fatal: bad ownership or modes for chroot directory’ error, do not worry. When this issue occurs, we need to make sure that the home directory of a user is owned by root and no one else can write into that directory. So change the owner of home directory using the following commands:
sudo chown root:root /home/yoursite.com sudo chmod 755 /home/yoursite.com
After changing the permissions, try it again. If it still does not work for you, do leave your comments. I will be more than happy to help you 🙂
3 Responses
Hi I used this method on an amazon aws and it did not work. At the same time it disabled my ssh account
The key here, for the next guy, is to place the new lines in the sshd_config file AFTER the ‘UsePAM yes’ line, to avoid mucking up your SSH access.
Also, it is a generally good idea to have an SSH session open besides the one you are using to do changes when those changes are to SSH, the method you use to access and make changes to start with, just in case…
I am facing the same issue. Unable to ssh into my server after following the above steps. Pls help.