For this lab, you can use either the CentOS virtual machine or the Ubuntu virtual machine. You'll add a group, then configure the sshd_config file to allow group members to only be able to log in via SFTP, and to confine them to their own directories. For the simulated client machine, you can use the terminal of your MacOS or Linux desktop machine, or Cygwin from your Windows machine:
- Create the sftpusers group:
sudo groupadd sftpusers
- Create a user account for Max, and add him to the sftpusers group. On CentOS, do:
sudo useradd -G sftpusers max
On Ubuntu, do:
sudo useradd -m -d /home/max -s /bin/bash -G sftpusers max
- For Ubuntu, ensure that the users' home directories are all set with read, write, and execute permissions for only the directory's user. If that's not the case, do:
sudo chmod 700 /home/*
- Open the /etc/ssh/sshd_config file in your preferred text editor. Find the line that says:
Subsystem sftp /usr/lib/openssh/sftp-server
Change it to:
Subsystem sftp internal-sftp
- At the end of the sshd_config file, add the following stanza:
Match Group sftpusers
ChrootDirectory /home
AllowTCPForwarding no
AllowAgentForwarding no
X11Forwarding no
ForceCommand internal-sftp
- Restart the SSH daemon. On CentOS, do:
sudo systemctl sshd restart
On Ubuntu, do:
sudo systemctl ssh restart
- Have Max try to log in through normal SSH, to see what happens:
ssh max@IP_Address_of_your_vm
- Now, have Max log in through SFTP. Once he's in, have him try to cd out of the /home directory:
sftp max@IP_Address_of_your_vm
- End of Lab.