Saturday, January 26, 2013

Chrooted SFTP

This will chroot (restrict)
all sftp users to their home directory

on your SFTP server type

group add sftpusers

vim /etc/ssh/sshd-config

comment out

#Subsystem       sftp    /usr/libexec/openssh/sftp-server


Subsystem       sftp    internal-sftp

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

Match Group sftpusers
        ChrootDirectory %h
        ForceCommand internal-sftp

Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
ChrootDirectory /sftp/%h – This is the path that will be used for chroot after the user is authenticated. %h indicates the users home directory. So, for john, this will be /home/john.
ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

next either add new users to your system or you can add existing users to the system

user add john mary clive

Add all sftp users to the sftp group by editing your 
/etc/group file  


Make sure users cannot login using ssh, do this by editing /etc/passwd
vim /etc/passwd
and changing /bin/bash to /bin/nologin of each SFTP user
chmod -R 755 /home/john

then you must set the following ownership to the users home directory

chown -R root:sftpusers /home/john

restart sshd
/etc/init.d/sshd restart

you can now sftp into your server and the sftp users will be restricted to their /home folder only.


No comments: