19

I have an Ubuntu Server running on an EC2 instance. To login to that server I use a certificate file without any password.

I've installed and configured vsftpd and created a user (let's call him "testuser") for which I've set a /bin/false ssh terminal so it will only be able to connect via sftp and upload/access files on his home directory.

However - when I try to connect to the server from my computer, running

sftp testuser@my-ec2-server

I get

Permission denied (publickey).
Connection closed

messages so I can't log in.

How can I remove the certificate requirement for this user only (meaning, the "ubuntu" user will still have to use the certificate file to login via ssh), so normal sftp clients will be able to connect using a username and a password ?

Thank you.

PS Using Ubuntu Server 10.10 official AMI from canonical, 64bit on a micro instance.

Doron
  • 543
  • 1
  • 6
  • 14

2 Answers2

15

In order to accomplish what you wish, you need to do two different things

  1. Change sshd config to accept passwords

I shall say first of all that it's a bad idea to do this, I would rather generate a certificate for your user than activate passwords, nonetheless if you want to do so just edit /etc/ssh/sshd_config and change or uncomment it so it shows PasswordAuthentication yes. Once that is done restart sshd service ssh restart

  1. Let users just FTP using sftp and not have shell

In order to acomplish that you need to install rsh (resticted shell) and change the user shell to it chsh username

lynxman
  • 9,157
  • 3
  • 24
  • 28
  • I only want this specific user (testuser) who will have only sftp access, to use a password instead of a certificate. The part of not allowing that user to access via ssh, I already did by defining it's bash type as /bin/false – Doron Feb 05 '11 at 21:43
  • 1
    Doron, you won't be able to just allow one user via passwd, you either allow password auth for everyone or for nobody. Also `/bin/false` won't allow sftp connections (any ssh connection needs a valid shell, that's where rsh does the trick) – lynxman Feb 05 '11 at 21:59
  • 1
    This didn't work for me on Ubuntu EC2, not sure what the extra step that I'm missing is, port 22 is open – Doug Molineux Sep 12 '11 at 16:20
  • See http://serverfault.com/questions/154957/set-up-sftp-to-use-password-but-ssh-not-to-use-password to set up just the sftp user with a password... – Raman Nov 01 '12 at 15:42
1

Here is a step by step guide to allow:

  1. SFTP access to /home/bob/uploads for user bob
  2. Lock bob out of SSH
  3. Use username/passwords rather than keys:

First, edit your /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd

Scroll down and modify:

PasswordAuthentication yes

and add this at the bottom:

Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Press Ctrl-X to exit and save.

Now add the user:

sudo useradd bob
sudo passwd bob

Now add the groups and disable ssh:

sudo groupadd sftpusers
sudo usermod  -g sftpusers bob
sudo usermod -s /usr/bin/rssh bob
sudo usermod -d /home/bob bob

Now set permissions:

sudo chown root:root /home/bob/
sudo chmod 755 /home/bob/
sudo mkdir /home/bob/uploads
sudo chown bob /home/bob/uploads

sudo service sshd restart

All this is while logged in as a root user (ec2-user on Amazon Linux AMIs)