ssh

passwordless ssh access

Create a new key. Choose the default file location when prompted. Press Enter when prompted for a passphrase.

ssh-keygen -t ed25519

The command will create two files.

.ssh/id_ed25519
.ssh/id_ed25519.pub

Copy the public key (id_ed25519.pub) to the remote server.

ssh-copy-id -i .ssh/id_ed25519.pub -p 22 [email protected]

tail -f on a remote server

ssh [email protected] "tail -f /var/log/messages"

Reference: ianneubert.com

block ssh for a user or a group

block a user:

# /etc/ssh/sshd_config
DenyUsers user1 user2 user3

block a group:

# /etc/ssh/sshd_config
DenyGroups group1 group2 group3

save the file, and restart the daemon

sudo service ssh restart

sftp jail

Se você já configurou um servidor FTP para permitir acesso dos usuários apenas ao seu diretório home, saiba que dá pra fazer o mesmo com SFTP. E ainda impedir que o usuário acesse o servidor por SSH.

configure openssh server

add or edit this item on /etc/ssh/sshd_config

Subsystem sftp internal-sftp

add this to the end of the same file

Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

restart openssh

service ssh restart

modify user accounts

create a system group, which will be used by all users that can access the server only via SFTP.

addgroup --system filetransfer

modify the user accounts to restrict their access to sftp only. these commands need to be done for each user account that is created.

usermod -G filetransfer the_user
chown root:root /home/the_user
chmod 755 /home/the_user

user accounts that can access the server via ssh should not be changed, nor should they be added to the filetransfer group.

once this is done, it is necessary to create a directory within each user's home. this directory will be the place where the user can place his files normally.

cd /home/the_user
mkdir public_html
chown the_user:filetransfer *

with these settings, users will be able to access the server via sftp and add/remove files in the public_html directory, but they will not be able to add files elsewhere, nor access the server via ssh.

reference: Limiting Access with SFTP Jails on Debian and Ubuntu