Chroot SFTP only on CentOS 6.
- February 27th, 2015
- Posted in Documentation
- Write comment
CentOS: 6.6
When setting an SFTP server, you may want to restrict or jail the SFTP users to only one location without restricting all aspects of openssh. This is how I restricted SFTP without impacting all of openssh:
Create the group you will match to and therefore add users to to grant SFTP access:
# groupadd sftp
Create a user:
# useradd -G sftp -d /into -s /sbin/nologin testuser
Notice the home directory. This is the logical root location for the user. Also, note that the shell is nologin to prevent ssh access.
Set the password:
# passwd testuser
Make a backup copy of the sshd_config file and make the following changes to the existing file:
# cp -rp sshd_config sshd_config.orig
# vi sshd_config
…
# JGZ – Force to use openssh in-process sftp server
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
…
# JGZ – Match to group to chroot
Match Group sftp
ChrootDirectory /sftpdir/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
…
Restart the service:
# service sshd restart
It is very important that the directory permissions are correct. Create directories and set permissions:
# mkdir /sftpdir
# chmod 755 /sftpdir
# ls -ld /sftpdir
drwxr-xr-x. 3 root root 4096 Feb 27 05:53 /sftpdir
# mkdir /sftpdir/testuser
# chmod 755 /sftpdir/testuser
# ls -ld /sftpdir/testuser/
drwxr-xr-x. 3 root root 4096 Feb 27 14:57 /sftpdir/testuser/
# mkdir /sftpdir/testuser/into
# chown testuser.sftp /sftpdir/testuser/into
# chmod 755 /sftpdir/testuser/into
# ls -ld /sftpdir/testuser/into
drwxr-xr-x. 2 testuser sftp 4096 Feb 27 15:07 /sftpdir/testuser/into/
It should be simple enough to create a script to create new users. Basically, this what you need:
# useradd -G sftp -d /intocbb -s /sbin/nologin testuser1
# mkdir -p /home/testuser1/incoming
# chown testuser1.sftp incoming/
# passwd testuser1
No comments yet.