0
I have an Ubuntu-powered server, which - among other things - acts as file storage/hosting (powered by nginx), so that if a file is put in /var/www/files.ourcompany.com/file.txt, it is publicly available at http://files.ourcompany.com/file.txt.
I want to restrict ability to the server to three specific users:
- User A is the overall sudo-enabled user who has SSH and SFTP access to everything. He is authorized by his SSH key(s) in
/home/userA/.ssh/authorized_keys. Essentially this is the replacement for root. - User B is a normal user that uses FileZilla. He cannot use SSH, only SFTP, and can only see
/var/www/files.ourcompany.comwhen he logs in. He is authorized via SSH key that is placed in/etc/ssh/authorized_keys/userB(as described here) - User C is exactly like User B, except he has his SSH key in
/etc/ssh/authorized_keys/userCinstead
Is the above possible using chroot or something similar? User A already has all the permissions he needs, but I am unsure of how to create the two normal users who should both be chrooted to the same folder (with upload/download capabilities) - /var/www/files.ourcompany.com - so that when they sign on via FileZilla they are immediately placed in that folder. I'm also scared of accidentally breaking the existing nginx setup due to rights issues...
user14040
Posted 2018-03-28T18:32:05.723
Reputation: 1
You can have multiple keys in an authorised_keys file - and have users log in as commonusername@destip - with each one using their own key. This may make it harder to track who actually logged in though. – davidgo – 2018-03-29T09:17:35.777
@davidgo I know, but that is exactly what I want to avoid. Since we'll end up having 5-10 users with SFTP access to the same file storage I want the logs to clearly show who comes and goes – user14040 – 2018-04-04T07:58:13.530
Surely the answer would just be to up the logging? Also, you could upload files with 664 / 775 perms and have all the users in a group - and structure the file server so that you have /data/home/user and /data/www - and chroot them to /data – davidgo – 2018-04-04T09:11:46.763
Without knowing too much about sftp or ftps - I posit you could set up an ftps server using, for example, pureftp and have logging on a per user basis, with a shared directory and appropriate perms. – davidgo – 2018-04-04T09:16:49.157