This describes configuring OpenBSD server specifically, but the sshd_config settings should work on any distro.
The result will be users with sftp only privileges where upon login they will be jailed into a directory and only have write access to a subdirectory.
A recent version of OpenBSD or some other Linux variant running openssh-server
Add the following to your /etc/ssh/sshd_config file:
# override default of no subsystems #Subsystem sftp /usr/libexec/sftp-server # sftp configuration Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp X11Forwarding no AllowTCPForwarding no PasswordAuthentication yes
jail directory and user configuration
A quick and dirty bash script to configure the user directories.
#!/bin/bash SFTPUSER=<username> SFTPDIR=/sftp_jail useradd -d $SFTPDIR/$SFTPUSER -s /sbin/nologin -g sftponly $SFTPUSER mkdir -p $SFTPDIR/$SFTPUSER/upload chown root:sftponly $SFTPDIR chmod 700 $SFTPDIR chown root:sftponly $SFTPDIR/$SFTPUSER chmod 750 $SFTPDIR/$SFTPUSER chown $SFTPUSER:nobody $SFTPDIR/$SFTPUSER/upload chmod 700 $SFTPDIR/$SFTPUSER/upload
- User will not be allowed to write to their home directory, but they will be allowed to write to the ‘upload’ subdirectory.
- Users will have read-only access to their home directory.
- Restart the sshd server after making any changes to /etc/ssh/sshd_config
Puppet is very particular about the Ruby version on Windows. While 2.2 and 2.3 versions of Ruby are available, puppet only runs without complaint on Ruby 2.1 on my Windows 7 box.
As of May 2016, I installed ruby 2.1.8 and puppet-agent 3.8.7. I also had to install some gems to make puppet-agent happy.
gem install win32-security win32-dir require win32-process top win32-service
Here are the links to downloads for puppet-agent and ruby:
No issues if the right version of ruby and the right gems.