SFTP-only Accounts With Media Temple DV 4

Posted on June 15, 2011 by rglover

We all know FTP is borked. It’s insecure and we should all be using SFTP. The problem with SFTP on MT is that when it is set up the ftp user account can still access the server via FTP and the account now has SSH access to the server. Ideally we want the ftp user to only be able to access the server via SFTP and to have no command line access at all. The answer is to install scponly. scponly is a shell that does exactly what we want, it provides SFTP and SCP access but nothing else. MT’s DV servers run CentOS and there is an excellent blog post by Shekhar Govindarajan that tells us how to install scponly.

Before we get to that though, first activate SFTP for the ftp user following MT’s wiki advice. And yes, I realize this is a post about activating SSH for the FTP user but it all shakes out the same because you can’t have SFTP without SSH being activated and the SFTP wiki post is over long. When you enable SFTP the way MT suggests you select a shell for the ftp user. Any shell will do because we will replace it with scponly later.

Once the ftp user’s changes have been saved, access the server with SFTP and then with FTP to convince yourself that they both work. You can also try SSHing into the server to prove that the ftp user can now access the server from the command line.

To lock down the ftp user you need to follow the steps in Govindarajan’s blog post. The steps are, briefly, install RPM Forge, install scponly via yum, and then edit /etc/passwd to reassign the ftp user’s shell.

rpm -ivh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

yum install scponly

vi /etc/passwd

In vi, scroll down to the line for the ftp user. Enter editing mode and change the shell, say it’s /bin/bash, to /usr/bin/scponly. Save and exit vi.

Now attempt to sign back into the server with the ftp user using FTP. It won’t work. Try with SFTP, works great. Try SSH. Not only doesn’t it work, it hangs the attempt and provides no feedback to the attacker.

To recap, now you have a transfer account that uses SFTP, can’t use FTP, and is locked out of access SSH via the command line. Wonderful.

This entry was posted in Server Stuff and tagged , , . Bookmark the permalink.

2 Responses to SFTP-only Accounts With Media Temple DV 4

  1. Pingback: More SSH Security Tricks on Media Temple DV 4 | Prion Interactive

  2. Steve says:
    September 19, 2011 at 2:39 am

    Excellent worked like a charm. Only issue is that I can move up to the parent directories. Any way to lock out the new users to parent directories?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>