# SSH Limited repertory



## vamos (Dec 4, 2012)

Hello, I've a problem, I tryed to make a new user for SSH (FTP) Access
than I've used "adduser -v" there's not problem here and I've build this account how I've think was good, my problem is the next, I want this user can ONLY have access on:


> for example: /web/hosting01/ and can't goin on /web/ or /root/ etc... and can't use the "ee /var/file.txt" on putty console too



How I can do this ?

Thanks ;-)


----------



## fonz (Dec 4, 2012)

See chroot(8) or, more advanced, jails.


----------



## xtaz (Dec 4, 2012)

As long as the only thing you want to use is sftp as this doesn't work with scp then you can do this. In /etc/ssh/sshd_config add the following lines:


```
Match group chroot
ChrootDirectory /web/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
```

Then the user that you want to restrict needs to have their shell changed to /sbin/nologin and add them into the "chroot" group which you'll have to create. This will mean that they will be locked into the /web/%u directory. You can change the location of this if you desire and there are various different variables you can use. %u means username. The only thing is the permissions need to be set up correctly for this to work. /web/<username> needs to be root:wheel, and then you need to create more directories inside this called things like /web/<username>/incoming for example which needs to have <username>:chroot as the permissions.

Your users will then be locked into /web/<username> which they will have read only access to, but will be able to edit any files inside /web/<username>/incoming if that makes sense. Unfortunately whilst it would make more sense to give access to the whole directory this doesn't seem to work and sshd will moan about permissions being incorrect.


----------



## wblock@ (Dec 4, 2012)

It is well worth getting Michael Lucas' "SSH Mastery".


----------



## vamos (Dec 4, 2012)

Hello, than is not the perfect solution, the best is so to add the openssh ?
thanks.


----------



## wblock@ (Dec 4, 2012)

sshd(8) and the rest of the SSH programs in FreeBSD are already from OpenSSH.


----------



## Remington (Dec 4, 2012)

You may want to consider using php web application ajaxplorer.  It's pretty good and you will have full control on directory structures for yours users without them having SSH access.  It's more secure this way.  Giving users SSH or SFTP access is asking for troubles.  It's more easier to configure as well.


----------



## vamos (Dec 4, 2012)

Hello, I will see for this you've true ^^ thanks


----------



## vamos (Dec 4, 2012)

Hello, does there's alternativ than ajaxplorer ? cause I've really problem with this about the first log, thanks.


----------

