4.3. Use cases¶
To configure MySecureShell, you need to edit the /etc/ssh/sftp_config
file. By default MySecureShell comes with a commented example configuration. This may not match all your needs and you will need to modify it to get it working as expected.
Note
Connect as root or use sudo to edit the configuration file.
To help you to understand and see what you can do with MySecureShell, we’re covering here some use cases.
4.3.1. Basic usage¶
In most of basic situations, you generally want:
- A defined home directory for a user and a set of user (group)
- Limit the bandwidth for the group (users)
- Restrict group to it’s home directory
- Have an admin user
Here is a configuration with commented examples:
<Default>
# For all users, they will have access to their own home directory
Home /home/$USER
</Default>
<User admin>
# This user can have advanced rights to manage MySecureShell from the CLI
IsAdmin true
</User>
<Group users>
# Force users to stay in their home directory
StayAtHome true
# Limit their download speed to 128k
Download 128k
# Limit their upload speed to 16k
Upload 16k
</Group>
4.3.2. Administering multiple websites¶
For this use case, let’s say you have multiple hosted clients and you have to manage their platforms. You want to:
- Give your clients full rights to manage their website content
- Limit the bandwidth
- Force rights creation
- Limit the number of connexions and idle time
- Restrict their rights on files and folders
Here is a typical configuration:
<Default>
# For all users, they will have access to their own home directory
Home /home/$USER
# Force users to stay in their home directory
VirtualChroot true
# Set global download for the server to 100m
GlobalDownload 100m
# Set global upload for the server to 100m
GlobalUpload 100m
# Limit user download speed to 1m
Download 1m
# Limit user upload speed to 1m
Upload 1m
# Limit 6 users per IP
LimitConnectionByIP 6
# We limit a user up to 2 simultaneous connections
LimitConnectionByUser 2
# We do not want users to keep forever their idle connection
IdleTimeOut 10m
# Force user and group to apache daemon username
# to avoid rights issues
ForceUser www-data
ForceGroup www-data
# We do not want users to be able to set execution files
MaximumRights 0640 0750
# We do not want users to be able to change file attributes
DisableSetAttribute true
</Default>
<VirtualHost www.example.com>
# Set home directory for this virtualhost
Home /var/www/sites/www.example.com
# Set dedicated log file
LogFile /var/log/sftp/www.example.com
</VirtualHost>
<VirtualHost www.exemple.fr>
# Set home directory for this virtualhost
Home /var/www/sites/www.exemple.fr
# Set dedicated log file
LogFile /var/log/sftp/www.example.com
# Override the maximum number of connection per user
LimitConnectionByUser 4
</VirtualHost>
We can see here 2 different VirtualHost which have their own home directory and logs file. They both inherit their configuration from the Default
parent tag. However www.exemple.fr virtual host has a different configuration for the maximum of simultaneous connected users.
4.3.3. High restriction access¶
In a very strict situations, you may want to:
- Restrict your user access to the minimum allowed files (images and pdf only)
- Deny any changes on those files (read only)
- Allow adding new files but in a specific folder (upload)
- Limit to 1 connection per user maximum
- Limit the bandwidth
Let’s say the Home folder contents looks like this:
drwxr-xr-x 2 user group 40 Aug 21 07:14 Download
drwxrwxrwx 2 user group 40 Aug 21 07:14 Upload
In the Download folder, read only files and folders will be present while in the Upload folder, users will be able to upload anything. Here is what it should looks like:
<Default>
# For all users, they will have access to their own home directory
Home /home/sftp
# Force users to stay in their home directory
VirtualChroot true
# Set global download for the server to 100m
GlobalDownload 100m
# Set global upload for the server to 100m
GlobalUpload 100m
# Limit user download speed to 10m
Download 10m
# Limit user upload speed to 10m
Upload 10m
# Deny user simultaneous connections
LimitConnectionByUser 1
# We do not want users to keep forever their idle connection
IdleTimeOut 5m
# We do not want users to be able to modify files once uploaded
ForceRights 0440 0550
# To be sure they do not have the permission to delete
DisableRemoveFile true
DisableOverwrite true
# We do not want users to be able to change file attributes
DisableSetAttribute true
# Apply filters
ApplyFileSpec AllowedExtensions
</Default>
<FileSpec AllowedExtensions>
# Only check against filenames/folder names only
UseFullPath false
# we can use multiple deny/allow directives for clarity
Order AllowDeny
# Only allow images and pdf extensions
Allow ".*.(jpg|jpeg|png|gif|raw|psd|pdf)$"
# Deny anything else
Deny all
</FileSpec>