Steps to create a new SSH user and SFTP user
But in theory will work for VMs in general ie: DigitalOcean or AWS instance
Also NOTE: I am not a security expert, so take it for what its worth.
There seems to be some confusion regarding what gist does regarding permissions - Which you can see in the comments, and I can understannd why some are confused based on the nature of it all. So Here is a tutorial on adding a new SSH
user to your VM. Note that any new user using this method will have all the same permissions that the serverpilot
user does, so don't go crazy adding users. Add the ones you trust.
So a good example of a use case would be - you have a VM that has a few projects on it. There is a new developer on your team -- then follow the steps below.
Add new user (you might need to use sudo
)
useradd <new_user>
Follow on screen prompts - this will allow SSH with the password set from the prompts (If there are no prompts just move on to Step 3 You will reset the password in the last step
Update user's home directory to ServerPilots apps
direcotry OR vim /etc/passwd to change the new users path - This will be the directory where they will arrive when connecting with SSH
usermod -d /srv/users/serverpilot/apps <new_user>
Add the user to the ServerPilot Group
usermod -a -G serverpilot <new_user>
Check permissions of the apps
directory
ls -ld /srv/users/serverpilot/apps/
The output should look like drwxr-xr-x 2 root serverpilot 4096 Jan 27 09:08 /srv/users/serverpilot/apps/
Add read write execute permission to ServerPilot Group
chown -vR :serverpilot /srv/users/serverpilot/apps/
This changed ownership of /srv/users/serverpilot/apps/
from root:root
to :serverpilot
Grant write permission to the group owner
chmod -vR g+w /srv/users/serverpilot/apps/
This changed from 0755 (rwxr-xr-x)
to 0775 (rwxrwxr-x)
Change password of the new user (only if prompt didn't work) You may need sudo
sudo passwd <new_user>
List all user:
cut -d: -f1 /etc/passwd
Delete a user:
sudo userdel <user_name>
Delet a group:
sudo groupdel <group_name>
I am not a security expert, so take it for what its worth.
OpenSSH has this ability built in, few people just seem to use the feature. Below is what works for me, but if you have a better way please share the uninformed.
<app_name>
or <app_name>/public
. This will keep trolls at bay.
root
.root
:sudo chown root:root /srv
sudo chown root:root /srv/users
sudo chown root:root /srv/users/serverpilot
sudo chown root:root /srv/users/serverpilot/apps
sudo chown root:root /srv/users/serverpilot/apps/<app_anme>
sudo adduser --home /srv/users/serverpilot/apps/<app_name> <new_sftp_user>
Follow the prompt and note that this will create a user and group with the name you supplied.
sudo groupadd <new_sftp_group>
root
sudo usermod -a -G <new_sftp_user> <new_sftp_user>
sudo usermod -a -G <new_sftp_group> <new_sftp_user>
sudo chown root:root /srv/users/serverpilot/apps/<app_name>
Now that the user is all setup and has the correct permission, we need to configure OpenSSH.
sshd_config
filesudo vim /etc/ssh/sshd_config
If you don't use
vim
the replace with whatever editor - ie:nano
8. Search for Subsystem
(I like to duplicate the line and comment out the original)
Add the following:
# Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
9. Set up the chroot
environment - (You should still have the file open)
sshd_config
Match Group <new_sftp_group>
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match Group <new_sftp_group>
is the same group you created earlier.10. Save and restart the ssh server
# restart SSH
sudo service ssh restart
That's all there is to it.
So if you want to test. You'll need to use an FTP client that supports SFTP.
I should mention that you'll need to do Steps 1 - 6 each time you add another SFTP user.