Posted (Updated ) in Linux, Uncategorized

I have a bunch of sites in /var/www and need individual user logins with access to their respective sites. In this tutorial I’ll go over how to create a user, chroot jail them and allow access to specific folders (in our case web directories).

For reference I’m using a standard LAMP server on Ubuntu:

1
2
sudo apt-get install -y tasksel
sudo tasksel install lamp-server

but this tutorial will work for any web server configuration.

 

1. Create User, Assign Web Group

1
2
3
4
5
6
7
# Create the user setting group to www-data
sudo useradd -Ng www-data myuser
sudo passwd myuser
 
# Restrict login to SFTP only
sudo groupadd sftp-only
sudo usermod myuser -G sftp-only

 

Create their web directory and provide access

With the new user created, make a directory matching their website’s name and mount the real website folder to it:

1
2
3
4
5
6
7
8
9
# Create chroot directory and set permissions
mkdir -p /home/myuser/mysite.com/html
chmod 755 /home/myuser/mysite.com/html
 
# Mount the destination directory at the directory we just created
mount --bind /var/www/mysite.com/html /home/myuser/mysite.com/html
 
# Add the above command to /etc/rc.local to mount it on boot
nano /etc/rc.local

 

Restrict the user to SFTP Only

We only want to allow SFTP access for this user. First open /etc/passwd and make sure the end of the line has /bin/false like so:

1
2
tail -n1 /etc/passwd
# myuser:x:1001:33::/home/myuser:/bin/false

Now edit /etc/sshd/sshd_config to allow only SFTP myuser:

1
2
3
4
5
Match User myuser
  ChrootDirectory /home/myuser
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Restart the SSHD service:

1
sudo service sshd restart

Now when you try to SSH in with this user you’ll get the error:

This service allows sftp connections only.

 

That’s it! They should now be able to SFTP in and will only have a mysite.com directory with access to their web files.

 

Further Reading

mihai.ile’s post on Stack Overflow – How can I chroot sftp-only SSH users into their homes?

Read More »

Posted in Uncategorized

Our firewall at work restricts us to only port 80 and no access to SSH – which as you can imagine for a web developer is a pretty big issue. Below I’ll describe the various methods of routing around this crap.

 

Create a SOCKS5 Proxy with SSH

If your firewall restricts which sites you can visit but you have access through SSH to a remote server, route your browser and other traffic through that server with a SOCKS5 proxy. This is called Dynamic Port Forwarding:

1
ssh -f -N -D 1080 remote-server

The above command creates a SOCKS5 proxy server on port 1080 of your machine which sends all traffic through remote-server. 

Use it with you browser:

Now use the server in Firefox:

  • go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings…
  • check “Manual proxy configuration”
  • make sure “Use this proxy server for all protocols” is cleared
  • clear “HTTP Proxy”, “SSL Proxy”, “FTP Proxy”, and “Gopher Proxy” fields
  • enter “127.0.0.1” for “SOCKS Host”
  • enter “1080” (or whatever port you chose) for Port.

Use it with git:

You can also configure SSH git origins to work with your proxy:

Open ~/.ssh/config and add

1
2
3
Host bitbucket.org
    User git
    ProxyCommand nc -x localhost:1080 %h %p

Now you can just clone/push/pull as normal. See here for more information.

Read More »

Posted (Updated ) in Linux

Tonight I needed to transfer files directly between two servers via the terminal and figured this would be useful information for others, so here’s how to do it:

Upload to a remove server:

$ ssh username@remote_address cat < localfile ">" remote_file

Download to your server:

$ ssh username@remote_address cat remote_file > local_file

Source: the incomplete news project

Read More »