I want to give some developers access to specific domains e.g ,
/ home/some domain
By installing their public key, but only for that domain. Virtualmin has no . ssh/authorized-keys set for virtual servers
Can we do this? I want them only to have access to that one domain /directory
I created a key pair, and put the public key into a file called authorized_keys, in their domain directory:
/home/example.com/.ssh/authorized_keys
I have SSHD enabled, but password access turned OFF in /etc/ssh/sshd_config
ServerKeyBits 4096
PermitRootLogin no
PasswordAuthentication no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp internal-sftp -f AUTH -l VERBOSE
UsePAM no
UseDNS no
Boom. They have SFTP access (or SSH shell, depending on their shell).
You can change their default shell using vipw or chsh:
– If you want them to have shell access, use /bin/bash
– If you want them to have only SFTP access, use /bin/false
– A control panel only user would have the /dev/null shell
Thanks for the guidance… that plus a little home work on the net about generating keys and I was able to get it to work…
I tested with by making my own keys on my mac. and added to the the server… in /home/devdomain/.ssh/authorized_keys. it worked!
This is all new to me… but I like it… no passwords flying across the wires.
Thanks. very useful knowledge… I think this will make me brave enough to use rsync for mirrors of the web server to our local OSX serve here, instead of FTPclient running on a schedule “auto download sync” which is so full of bugs and always give me problems…
further musings:
You can see up the directory tree above, but everything is unreadable… because you can only log in as the user for the site. I remember some discussions earlier about JailKit et all, but that was a snakepit, I’m not sure Joe every got any tools added to lock users into in single domain and not allow them to see “up and out” of their home virtual server home directory.
I’ve not had success with any “jail” options… for encrypted FTP (aka FTPS, FTPeS) see: