Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I need to create a user which can only SFTP to specific directory and take a copy of some infomation. that is it. I keep looking online and they bring up information about chroot and modifying the the sshd_config.
So far I can just
add the user "useradd sftpexport"
create it without a home directory "-M"
set its login location "-d /u02/export/cdrs" (Where the information is stored)
not allow it to use ssh "-s /bin/false"
useradd sftpexport -M -d /u02/export/cdrs -s /bin/false
Can anyone suggest what am meant to edit so the user can only login and copy the file off?
I prefer to create a user group sftp and restrict users in that group to their home directory.
First, edit your /etc/ssh/sshd_config file and add this at the bottom.
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command)
Add a new sftp group, add your user to the group, restrict him from ssh access and define his home directory.
groupadd sftp
usermod username -g sftp
usermod username -s /bin/false
usermod username -d /home/username
Restart ssh:
sudo service ssh restart
If you are still experiencing problems, check that the directory permissions are correct on the home directory. Adjust the 755 value appropriately for your setup.
sudo chmod 755 /home/username
EDIT: Based on the details of your question, it looks like you are just missing the sshd_config portion. In your case, substitute sftp with sftpexport. Also be sure that the file permissions are accessible on the /u02/export/cdrs directory.
An even better setup (and there are even better setups than what I am about to propose) is to symlink the /u02/export/cdrs directory to the user home directory.
You could need to add a restricted shell for this user can put some files there. You can use rssh tool for that.
usermod -s /usr/bin/rssh sftpexport
Enable allowed protocols in config /etc/rssh.conf.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I want to copy letsencrypt folder from my remote ec2 machine to my local folder.
So I run this command:
scp -i key.pem -r ubuntu#ec2-3-188-92-58.us-east-2.compute.amazonaws.com:/etc/letsencrypt my-letsencrypt
Some files are copied but other failed with this error Permission denied:
scp: /etc/letsencrypt/archive: Permission denied
scp: /etc/letsencrypt/keys: Permission denied
I want to avoid to change ec2 files permissions.
What can I do to copy this folder to my local filesystem?
You are logging in with the account ubuntu on the server, but that account doesn't have the correct permission to read (and therefore) copy all the files. Most likely some of the files are owned by root and are not readable by others.
You can check the permission yourself with ls -l /etc/letsencrypt.
To copy the files anyway, here's two options:
1. Make a readable copy
on the remote server (logged in via SSH), you can make a copy of the folder, and change the permissions of the files:
sudo cp -r /etc/letsencrypt ~/letsencrypt-copy
sudo chown -R ubuntu:ubuntu ~/letsencrypt-copy
Now you can copy the files from there:
scp -i key.pem -r ubuntu#ec2-3-188-92-58.us-east-2.compute.amazonaws.com:letsencrypt-copy my-letsencrypt
2. copy from root
If you have ssh access on the root account, then just copy using that account:
scp -r root#ec2-3-188-92-58.us-east-2.compute.amazonaws.com:letsencrypt-copy my-letsencrypt
Here you need public read permission
- First SSH to your remote server ubuntu#ec2-3-188-92-58.us-east-2.compute.amazonaws.com
sudo su - (make sure you are a root user)
chmod -R 0744 /etc/letsencrypt
now try to download again with SCP again
after download put back permissions to 0700
chmod -R 0700 /etc/letsencrypt
Check the file permissions for archive & keys. It should be 400. Just change to 600. After the change, try copying again.
chmod -R 600 ./archive ./keys
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
The community reviewed whether to reopen this question 12 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I have 2 linux machines. On one machine these are the users:
sysadmin2:x:4201:4200::/home/sysadmin2:/bin/bash
appadmin1:x:4100:4100::/home/appadmin1:/bin/bash
appadmin2:x:4101:4100::/home/appadmin2:/bin/bash
dataadmin1:x:4300:4300::/home/dataadmin1:/bin/bash
dataadmin2:x:4301:4300::/home/dataadmin2:/bin/bash
sysadmin1:x:4200:4200::/home/sysadmin1:/bin/bash
I want to replicate these to another machine. How can I create these users with same uid and gid values? Is there a way I can copy them to another machine?
First, create the group if it doesn't exist:
$ groupadd -g 4200 sysadmin2
Next, create the user and add it to the group:
$ useradd sysadmin2 -u 4201 -g 4200 -m -s /bin/bash
$ useradd appadmin1 -u 4100 -g 4100 -m -s /bin/bash
and don't forget to reset password for each user.
In summary and in general, you can use the useradd command to add users to a linux system. The -u flag allows you to set a specific user id and the -g flag allows you to set a specific group id. Please see useradd's manpage for more details -- on a terminal, type man useradd to see it.
Now, specifically about your problem, see below.
Assumming you have three groups on your original machine:
$ cat /etc/group
...
appadmins:x:4100:
sysadmins:x:4200:
dataadmins:x:4300:
...
On your destination/new machine, you should first create the groups using:
groupadd appadmins -g4100
groupadd sysadmins -g4200
groupadd dataadmins -g4300
Then, you can proceed to create the actual users like so:
useradd appadmin1 -u4100 -g4100 -d/home/appadmin1 -s/bin/bash
useradd appadmin2 -u4101 -g4100 -d/home/appadmin1 -s/bin/bash
useradd sysadmin1 -u4200 -g4200 -d/home/sysadmin1 -s/bin/bash
useradd sysadmin2 -u4201 -g4200 -d/home/sysadmin2 -s/bin/bash
useradd dataadmin1 -u4300 -g4300 -d/home/dataadmin1 -s/bin/bash
useradd dataadmin2 -u4301 -g4300 -d/home/dataadmin2 -s/bin/bash
The -d option is used to set the home directory and the -s option is used to set the shell. Again, -u and -g are used to set a specific user and group id.
To check that everything went correctly, just use grep admin on your /etc/passwd file:
$ grep admin /etc/passwd
appadmin1:x:4100:4100::/home/appadmin1:/bin/bash
appadmin2:x:4101:4100::/home/appadmin1:/bin/bash
sysadmin1:x:4200:4200::/home/sysadmin1:/bin/bash
sysadmin2:x:4201:4200::/home/sysadmin2:/bin/bash
dataadmin1:x:4300:4300::/home/dataadmin1:/bin/bash
dataadmin2:x:4301:4300::/home/dataadmin2:/bin/bash
If something is wrong, you can use userdel or groupdel accordingly and start over.
The account configure files could be shared by any Linux machine in same privileges. you could make a copy to that machine to have a same user list by this command:
scp /etc/{passwd,shadow} root#your_marchine_IP_address:/etc/ -p
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 2 years ago.
Improve this question
I would like to know whether there is any simple shell command to change the user home directory in Linux/Unix (one similar to chsh which changes the default login shell of an existing valid user) without touching the /etc/passwd file. Thanks
Ibrahim's comment on the other answer is the correct way to alter an existing user's home directory.
Change the user's home directory:
usermod -d /newhome/username username
usermod is the command to edit an existing user.
-d (abbreviation for --home) will change the user's home directory.
Change the user's home directory + Move the contents of the user's current directory:
usermod -m -d /newhome/username username
-m (abbreviation for --move-home) will move the content from the user's current directory to the new directory.
From Linux Change Default User Home Directory While Adding A New User:
Simply open this file using a text editor, type:
vi /etc/default/useradd
The default home directory defined by HOME variable, find line that
read as follows:
HOME=/home
Replace with:
HOME=/iscsi/user
Save and close the file. Now you can add user using regular useradd
command:
# useradd vivek
# passwd vivek
Verify user information:
# finger vivek
The accepted answer is faulty, since the contents from the initial user folder are not moved using it. I am going to add another answer to correct it:
sudo usermod -d /newhome/username -m username
You don't need to create the folder with username and this will also move your files from the initial user folder to /newhome/username folder.
In case other readers look for information on the adduser command.
Edit /etc/adduser.conf
Set DHOME variable
You can do it with:
/etc/passwd
Edit the user home directory and then move the required files and directories to it:
cp/mv -r /home/$user/.bash* /home/newdir
.bash_profile
.ssh/
Set the correct permission
chmod -R $user:$user /home/newdir/.bash*
Found out that this breaks some applications, the better way to do it is
In addition to symlink, on more recent distros and filesystems, as root you can also use bind-mount:
mkdir /home/username
mount --bind --verbose /extra-home/username /home/username
This is useful for allowing access "through" the /home directory to subdirs via daemons that are otherwise configured to avoid pathing through symlinks (apache, ftpd, etc.).
You have to remember (or init script) to bind upon restarts, of course.
An example init script in /etc/fstab is
/extra-home/username /home/username none defaults,bind 0 0
usermod -m -d /newhome username
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Apache
CentosOS 5
Plesk 10
New on commandline and ssh.
While trying to get several users (root git friend) to ssh to the same shell and configuring passwordless connection I must have made a mistake.
I can no longer login over ssh as root or git but can as friend whose shell I transferred by editting etc/passwd.
I luckily can still login on plesk so gui file editing is possible.
here's what I found in my sshd errorlog
sshd[11999]: User git not allowed because shell /bin/bash\r does not exist
sshd[12000]: input_userauth_request: invalid user git
sshd[11999]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.dynamic.upc.nl user=git
sshd[11999]: Failed password for invalid user git from xxx.xxx.xxx port 54851 ssh2
I read something about sudo ing and incidently entering: causing the \r
But where to restore?
Here are some configurations
etc/ssh/sshd_config :
PubkeyAuthentication yes
ect/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/false
/usr/local/psa/bin/chrootsh
/bin/rbash
etc/passwd
git:x:10009:10009::/home/git:/bin/bash
friend:x:10010:10010::/home/git:/bin/bash
earlier I tried to install password less connecting
so there is a .ssh/id_rsa file somewhere on the server and on my local machine.
After reading Git's famous "ERROR: Permission to .git denied to user"
I tried
ssh-add -l
Could not open a connection to your authentication agent
My problem resembles this:
https://serverfault.com/questions/480806/ssh-root-access-denied-after-changing-shell
If I am logged over ssh as friend I cannot sudo to root:
sudo root
friend is not in the sudoers file
nor can I chsh
[friend#vpsXXX ~]$ chsh -s /bin/bash root
chsh: Running UID doesn't match UID of user we're altering, shell change denied
Hope someone can clear this up for me.
Happy to supply more info if needed
/bin/bash\r
means that you've edited the /etc/passwd or /etc/shells with a Windows editor as it contains Windows line feeds \r\n. Linux interprets only the \n and assumes that the remaining \r is part of the binary name.
Solution: Open the files in a Linux editor and remove the new line and add it again.
Also you could install the package tofrodos and execute:
fromdos /etc/passwd
fromdos /etc/shells
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I have Linux VPS and few accounts there. I used SSH with root logins to copy files from one account to another (e.g. in this folder
/home/firstacc/public_html/forum I typed cp -R * /home/secondacc/public_html/community).
Now when I use regular FTP to edit files on secondacc - I can't modify it - SmartFTP says permission denied. Now how do change ownership or permissions so they can be edited via regular FTP ?
use chmod to set the permissions (but be careful not to allow any wild process to modify your files) and chown/chgrp to change ownership/group-membership of your file.
ideally you would create a group (i call it 'fancyhomepage') where both users are members thereof:
# addgroup fancyhomepage
# adduser firstacc fancyhomepage
# adduser secondacc fancyhomepage
then make sure that all files you want to share belong to this group and are group-writeable
$ chgrp -R fancyhomepage /home/secondacc/public_html/community/
$ chmod -R g+rwX /home/secondacc/public_html/community/
$ chown -R <user>:<org> on the directory changes the permissions for everything in the directory and below.