How to add more users to sftp account Centos

Description: I tried to explain how to add more sftp restricted users to your centos server. Also I have explained how to use a normal user to replicate root and restrict root access of the server. Following this article you will be able to use your server in a good secure environment.

How to add more users to sftp account.

Add sftp Group:

groupadd sftusers

1. add user
root@Dripple:/# adduser -m imreane

2. add user to sftp group
root@Dripple:/# usermod -g sftpusers imreane

4. change user from ssh access to nologin
root@Dripple:/# usermod -s /bin/false imreane

5. change mode of the user directory
root@Dripple:/# usermod -d /home/imreane imreane

6. change ownership to root of the user directory
root@Dripple:/# chown root:root /home/imreane/

7.Add user to the sshd_config file at line Allow Users
root@Dripple:/# vim /etc/ssh/sshd_config

8. change permission of the user directory
root@Dripple:/# chmod 755 /home/imreane/

9. Create password for the new user
root@Dripple:/# passwd imreane

10.Restart the ssh service
root@Dripple:/# service ssh restart

11.Create a directly which will be used for mapping binding to /var/www/
root@Dripple:/# mkdir /home/imreane/www

12.Make an entry in fstab file for binding the directory /var/www/
root@Dripple:/# echo “/var/www/ /home/sanjosedelcabo/www none bind 0 0” >> /etc/fstab

13.Mount the directory to the user accessible directory.
root@Dripple:/# mount /home/imreane/www/

14.Check and list that /var/www/ is correctly mounted and bind.
root@Dripple:/# ll /home/imreane/www/

15. All done good reload or restart the ssh service
root@Dripple:/# service ssh restart

16. Now you check your new sftp user access to the server through command also through file-zilla.
command: sftp user2@serverip
please enter password:
sftp>ls
www
sftp>cd ..
sftp>ls
www
sftp>exit

17. Repeat the steps for any additional users. Enjoy!
———————————————————————
Here is the sshd_config after completing the configurations.

Package generated configuration file
See the sshd_config(5) man-page for details
What ports, IPs and protocols we listen for
#Port 22
Port 2577
#Port 9874
Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication:
LoginGraceTime 120
PermitRootLogin no
#PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes

#AuthorizedKeysFile %h/.ssh/authorized_keysDon’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Change to no to disable tunneled clear text passwords
#PasswordAuthentication yes
AllowUsers imreane imreane1 imreane2 imreane3 imreane4 imreane5 imreane5
Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
GSSAPI optionsGSSAPIAuthentication no
#GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no#MaxStartups 10:30:60
#Banner /etc/issue.netAllow client to pass locale environment variables
AcceptEnv LANG LC_*#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftpSet this to ‘yes’ to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of “PermitRootLogin without-password”.
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
UsePAM yesPort 9874
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
and ChallengeResponseAuthentication to ‘no’.

Leave a Reply

Your email address will not be published. Required fields are marked *