How do I set up an sftp user to login with a password to an EC2 ubuntu server?

certificate ubuntu sftp cloud-computing

I have an Ubuntu Server running on an EC2 instance. To login to that server I use a certificate file without any password.

I've installed and configured vsftpd and created a user (let's call him "testuser") for which I've set a /bin/false ssh terminal so it will only be able to connect via sftp and upload/access files on his home directory.

However - when I try to connect to the server from my computer, running

sftp testuser@my-ec2-server

I get

Permission denied (publickey).
Connection closed

messages so I can't log in.

How can I remove the certificate requirement for this user only (meaning, the "ubuntu" user will still have to use the certificate file to login via ssh), so normal sftp clients will be able to connect using a username and a password ?

Thank you.

PS Using Ubuntu Server 10.10 official AMI from canonical, 64bit on a micro instance.


In order to accomplish what you wish, you need to do two different things

  1. Change sshd config to accept passwords

I shall say first of all that it's a bad idea to do this, I would rather generate a certificate for your user than activate passwords, nonetheless if you want to do so just edit /etc/ssh/sshd_config and change or uncomment it so it shows PasswordAuthentication yes. Once that is done restart sshd service ssh restart

  1. Let users just FTP using sftp and not have shell

In order to acomplish that you need to install rsh (resticted shell) and change the user shell to it chsh username


Here is a step by step guide to allow:

  1. SFTP access to /home/bob/uploads for user bob
  2. Lock bob out of SSH
  3. Use username/passwords rather than keys:

First, edit your /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd

Scroll down and modify:

PasswordAuthentication yes

and add this at the bottom:

Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Press Ctrl-X to exit and save.

Now add the user:

sudo useradd bob
sudo passwd bob

Now add the groups and disable ssh:

sudo groupadd sftpusers
sudo usermod  -g sftpusers bob
sudo usermod -s /usr/bin/rssh bob
sudo usermod -d /home/bob bob

Now set permissions:

sudo chown root:root /home/bob/
sudo chmod 755 /home/bob/
sudo mkdir /home/bob/uploads
sudo chown bob /home/bob/uploads

sudo service sshd restart

All this is while logged in as a root user (ec2-user on Amazon Linux AMIs)

Related

What does the ".NET Framework Version" setting in IIS actually do?
How to set up port forwarding on Amazon EC2
How many sub-domains can there be at most?
Looking for a unique GUID to identify a Windows installation
chsh: PAM authentication failed
Redirect a subpath to a external host with Nginx
What does `* Mark bundle as not supporting multiuse` mean in my curl trace?
Duplicity Full Backup Lifetime and Efficiency
jbd2/dm-0-8 consuming all I/O
How to setup Gitlab with post-receive hook?
Mouse cursor jumps around when using RDP
Sharing unix socket via docker volume - permission denied