Yesterday the wonderful Howtoforge had an article that finally freed me from my beloved/hated scponly. MySecureShell offers all the functionality of a proper SFTP server, easily configurable and very well integrated.
To get it up and running on Debian, just download the latest *.deb version from Sourceforge.
Then install it with the following command:
dpkg -i mysecureshell_0.95_i386.deb
Now for every SFTP user you want on your system just do the following (substitute ‘test’ with your desired username).
Add a normal user to your system:
Open the file /etc/passwd and change the user’s shell from /bin/bash to /bin/MySecureShell. The line then should look something like this:
Alas, you have a chrooted SFTP only user, without the clutter of numerous additional directories for the chroot. Simple and elegant 🙂
The last step is to have a look through the config file in /etc/ssh/sftp_config, it’s pretty well documented!
I set up scponly to permit some of my users, for whom I host websites, to use sftp/scp to transfer files to the server but refuse them to login with a fully functional shell. After configuring scponly to chroot to the users home directory and some initial tests it worked very well with Transmit on the Mac, Filezilla on Windows and Putty/Terminal. The only thing that didn’t work was using Dreamweaver in SFTP mode to connect to the server.
After a bit of digging around me & Herbert found out that Dreamweaver will only communicate with the SSH server if you change the config from the Debian-standard, refusing “tunneled clear text passwords”, to permiting it in /etc/ssh/sshd_config.
# Change to yes to enable tunnelled clear text passwords
After a quick
/etc/init.d/ssh restart Dreamweaver was able to log in as well 🙂
To set up chroot for scponly on a Debian system do the following:
- unzip the chroot script in /usr/share/doc/scponly/setup_chroot
- chmod +x setup_chroot.sh
- type in the user you want to have scponly access
- accept the default for home directory
- type in the directory to be user writeable (in my case “www”)
- choose a password
- optional: compile the groups.c file in /usr/share/doc/scponly gcc -o groups groups.c and move it to the chroot mv groups /home/user/bin/.
…simple as that 🙂