8

At the moment in my sshd_config I have it set so that passwords cannot be used and only keys can be used to login.

I need to enable passwords for one user. This user is yet to be created and has to be a severely locked down user. Only able to see their own home directory and can only execute the basic commands (cd, mkdir, nano, etc...) inside their directory.

So my question is: how do I create this locked down user and how do I allow 'it' to login via ssh using a password?

Thanks

P P
  • 81
  • 1

2 Answers2

10

This tutorial has how to chroot ssh/sftp users. Essentially, you'll need to create a configuration section at the end of sshd_config like

Match User username
    ChrootDirectory /home/somewhere
    AllowTCPForwarding no
    X11Forwarding no

Add to that the PasswordAuthentication Yes (or ChallengeResponseAuthentication, whichever you're using) instruction to allow that user to use passwords.

If you want to ensure that the user can't create their own commands (you'd be surprised what you can do with bash) you'll need to make sure that everything in /home/somewhere is not owned by the user and not writable by the user.

That tutorial also links to a script for finding all the prerequisites of the commands you want to add to the jail and building your chroot jail.

DerfK
  • 19,313
  • 2
  • 35
  • 51
4

The lock down part of your question is already answered at the question How can I chroot ssh connections?.

Per user configuration can be achieved by the Match section as others have posted.