VanDyke Software

VShell® Server

Try Before You Buy

Every release can be evaluated free of charge for 30 days.

Index

I need different users to have access to different directories, but no one should have access to other people's directories.

To better control access to directories on your server via SFTP, you can use VShell's SFTP virtual directory feature (VShell® version 2.3 and greater). SFTP allows you to specify virtual directories on your server and grant access only to specified users and groups.

To set up SFTP virtual directories, follow these steps:

  1. Divide your system's users into logical groups. Your system may already have user groups that you can use or you can create new groups. For the purpose of this explanation, we'll use the following example groups.
    • Developers
    • Accounting
    • Sales
    • TechSupport
  2. Determine the access needs of your users and groups.

    In our example, members of each group share a common area and only members of that group should be able to see their common area. Example user Danny is a member of both Developers and TechSupport; though, when connecting via SFTP he should only have access to TechSupport files. Kirk is a member of Developers and TechSupport also, but he should see the files of both groups. Ken is an admin, and should be able to see the file system as it really is. Each user should be able to access the files in their home directory, but no one else should see these files.


  3. Open the vshelld_config file and add SFTP access configuration. For each virtual directory, you can allow or deny access (a deny takes precedence over allows). You can also use the * to denote everyone. The configuration for our example would be conveyed as follows:
    SFTPVirtualDirectories{
    
    Unrestricted{
    AllowUsers { Ken }
    }
    
    Alias "home"{
    Directory "$USER"
    AllowUsers { * }
    }
    
    Alias "Development"{
    Directory "/home/dev"
    AllowGroups { Developers }
    DenyUsers { Danny }
    }
    
    Alias "Accounting"{
    Directory "/home/accounting"
    AllowGroups { Accounting }
    }
    
    Alias "TechSupport"{
    Directory "/home/TechSupport"
    AllowGroups { TechSupport }
    }
    }
    

    Now, when Ken logs in via SFTP, he will see the file system as it really is because he has unrestricted access. Members of the Developers group, except for Danny, will see the following file system when they log in via SFTP:

    /
        home/
        Development/
    

    In the above file system, "home" directory that the each user sees on screen is in reality that users home directory (where ever it really is) and /Development refers to /home/dev. For instance, Kirk will see:

    /
        home/
        Development/
        TechSupport/
    

    Similarly, other groups will see only /home and their appropriate group files.

Using the SFTP virtual directories allow you to tailor the files that are visible to any given user to exactly the set of files they need to get their work done, thereby increasing the security of your data.

To further restrict access and use of your server, you can also implement access control lists (ACLs), connection filters, and port-forwarding filters. More information on these and on SFTPVirtualDirectories can be found in the vshelld_config (5) man page.


Three Fast Ways to Learn More About VShell Server For Windows and UNIX

Tell me more. Email us your questions about putting VShell to work for your organization.

Try it today! Download a free 30-day evaluation copy of VShell for Windows or UNIX.

Talk to us. Let us help define the right VShell server solution for your company.