Limiting a Linux virtual host account to SFTP

Been using ispconfig3 to manage a server: setting up virtual hosts is a lot easier that way than manually. Recently had to set up SFTP access so the client can manage the content themselves. Spent a little while wiring up the ssh keys so WinSCP could securely log in, but couldn't seem to get SFTP to work. Turns out that by default the apache users are wired up to use /bin/false as the shell and it seems to be hardwired.

Google to the rescue: the debian administration FAQ yielded this gem. First set up the sftp-server to be an accepted shell:

root@host # echo '/usr/lib/stfp-server' >> /etc/shells

Then, all you have to do is alter each of the users created for apache like so:

root@host # usermod -s /usr/lib/sftp-server <username>

And...we're done. SFTP now works.

Do note: if you're doing this, make sure you've got your SSH daemon set up to require a key: no passwords allowed. Save yourself the pain and suffering of password-based SSH attacks.

As an added bonus for users of ispconfig3, you can edit /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php and change the lines with /bin/false to /usr/lib/sftp-server: any new sites created will automatically be SFTP enabled. The SSH authorized_keys file and public key will still need to be manually copied into place, but one thing at a time.

P.S. If you're looking to use your Android phone as a Bluetooth GPS device, checkout SolidSync Network/Bluetooth GPS in the Google Play Store or on the web at http://solidsync.com/networkbluetooth-gps.