chroot sftp with OpenSSH
Posted: May 24, 2016 Filed under: Linux Leave a commentOverview
This describes configuring OpenBSD server specifically, but the sshd_config settings should work on any distro.
The result will be users with sftp only privileges where upon login they will be jailed into a directory and only have write access to a subdirectory.
Requirements
A recent version of OpenBSD or some other Linux variant running openssh-server
/etc/ssh/sshd_config
Add the following to your /etc/ssh/sshd_config file:
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
# sftp configuration
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTCPForwarding no
PasswordAuthentication yes
jail directory and user configuration
A quick and dirty bash script to configure the user directories.
#!/bin/bash
SFTPUSER=<username>
SFTPDIR=/sftp_jail
useradd -d $SFTPDIR/$SFTPUSER -s /sbin/nologin -g sftponly $SFTPUSER
mkdir -p $SFTPDIR/$SFTPUSER/upload
chown root:sftponly $SFTPDIR
chmod 700 $SFTPDIR
chown root:sftponly $SFTPDIR/$SFTPUSER
chmod 750 $SFTPDIR/$SFTPUSER
chown $SFTPUSER:nobody $SFTPDIR/$SFTPUSER/upload
chmod 700 $SFTPDIR/$SFTPUSER/upload
Notes
- User will not be allowed to write to their home directory, but they will be allowed to write to the ‘upload’ subdirectory.
- Users will have read-only access to their home directory.
- Restart the sshd server after making any changes to /etc/ssh/sshd_config
Recent Comments