all sftp users to their home directory
on your SFTP server type
group add sftpusers
vim /etc/ssh/sshd-config
comment out
#Subsystem sftp /usr/libexec/openssh/sftp-server
add
Subsystem sftp internal-sftp
You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
ChrootDirectory /sftp/%h – This is the path that will be used for chroot after the user is authenticated. %h indicates the users home directory. So, for john, this will be /home/john.
ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
next either add new users to your system or you can add existing users to the system
user add john mary clive
Add all sftp users to the sftp group by editing your
/etc/group file
sftpusers:x:501:john,mary,clive
Make sure users cannot login using ssh, do this by editing /etc/passwd
vim /etc/passwd
and changing /bin/bash to /bin/nologin of each SFTP user
From
john:x:500:500::/home/john:/bin/bash
To
john:x:500:500::/home/john:/bin/nologin
next
chmod -R 755 /home/john
then you must set the following ownership to the users home directory
chown -R root:sftpusers /home/john
restart sshd
/etc/init.d/sshd restart
you can now sftp into your server and the sftp users will be restricted to their /home folder only.
~
No comments:
Post a Comment