@groffcole:

Should I create a new user on my linode and have the user's home directory be where they host their site?
Yes, that's exactly what you should do.

@groffcole:

Connecting via FTP?
You could do that with proftpd or vsftpd, but FTP is generally considered insecure because the username and password are transmitted in plain text. Instead, give your friend an SSH account that is jailed to his/her home directory. (Google for "ssh jail home directory".) SSH includes SFTP, which is much more secure than FTP and your friend can use it just like good old FTP .

That makes sense. Most FTP clients allow connecting via SFTP…

And, before looking at this SSH jail stuff, I'm assuming this means that the user won't be able to go exploring around the system? It locks, or "jails," them to their home directory?

Thanks!

Yes, we have a tutorial if you need a starting point as well-

http://library.linode.com/security/sftp-jails

Thank you. The google search lead me right there.

A couple other questions:

1) Is there a way to allow the user to set their own password?

2) Is there any software that would allow a user some sort of web interface for this sort of thing?

This seems to have made it so I cannot login on the account I put in the sudoers file. And I also cannot login via sftp with the account I setup for sftp.

Hrmm…. now I cannot login to my linode.

Edit:

More info:

I have root ssh access turned off, I've turned of password authentication to use SSH keys instead. My user account, that I created and added to the sudoers file, is unable to login via a terminal at the moment. Also, I can't seem to login with the account I made for my friend (via sftp).

Is there something I did incorrect? I followed the Linode guide.

Thanks.

It sounds like all users were added to the jailed sftp-group ('filetransfer' in the guide) instead of just the intended user (or something to that effect)

Can you login via lish?

Yes, I can login via lish.

Could you post your /etc/ssh/sshd_config file, please?

sshd_config:

Package generated configuration file

See the sshd_config(5) manpage for details

What ports, IPs and protocols we listen for

Port 22

Use these options to restrict which interfaces/protocols sshd will bind to

ListenAddress ::

ListenAddress 0.0.0.0

Protocol 2

HostKeys for protocol version 2

HostKey /etc/ssh/sshhostrsa_key

HostKey /etc/ssh/sshhostdsa_key

Privilege Separation is turned on for security

UsePrivilegeSeparation yes

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 768

Logging

SyslogFacility AUTH

LogLevel INFO

Authentication:

LoginGraceTime 120

PermitRootLogin no

StrictModes yes

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile %h/.ssh/authorized_keys

Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

For this to work you will also need host keys in /etc/sshknownhosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

IgnoreUserKnownHosts yes

To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

ChallengeResponseAuthentication no

Change to no to disable tunnelled clear text passwords

PasswordAuthentication yes

PasswordAuthentication no

Kerberos options

KerberosAuthentication no

KerberosGetAFSToken no

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

GSSAPI options

GSSAPIAuthentication no

GSSAPICleanupCredentials yes

X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

MaxStartups 10:30:60

Banner /etc/issue.net

Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Subsystem sftp internal-sftp

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

UsePAM ye

Match group filetransfer

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

Also, I seem to be having an issue restarting my ssh via /etc/init.d/ssh restart. This is the output when I run that command:

Rather than invoking init scripts through /etc/init.d, use the service(8)

utility, e.g. service ssh restart

Since the script you are attempting to invoke has been converted to an

Upstart job, you may also use the restart(8) utility, e.g. restart ssh

ssh start/running, process 15959

When I run service ssh restart, I get this:

restart: Unknown instance:

Also, connecting via ssh and the mac terminal, I get this:

ssh: connect to host colegroff.com port 22: Connection refused

I am now able to login via ssh and my terminal. I somehow screwed up a part of the sshd_config file:

"UsePAM ye "

This section said "ye" instead of "yes". So now I can login all right. I'm going to checkout the other issues later tonight.

@groffcole:

Thank you. The google search lead me right there.

A couple other questions:

1) Is there a way to allow the user to set their own password?

2) Is there any software that would allow a user some sort of web interface for this sort of thing?

Have a look at virtualmin GPL as I believe it may be what you're looking for and is free.

FWIW I'm running it and it works great on linode.