{"id":1195,"date":"2015-02-27T16:54:36","date_gmt":"2015-02-27T23:54:36","guid":{"rendered":"http:\/\/jim-zimmerman.com\/?p=1195"},"modified":"2020-02-23T16:23:45","modified_gmt":"2020-02-23T23:23:45","slug":"chroot-sftp-only-on-centos-6","status":"publish","type":"post","link":"https:\/\/jim-zimmerman.com\/?p=1195","title":{"rendered":"Chroot SFTP only on CentOS 6."},"content":{"rendered":"<p>CentOS: 6.6<\/p>\n<p>When setting an SFTP server, you may want to restrict or jail the SFTP users to only one location without restricting all aspects of openssh.  This is how I restricted SFTP without impacting all of openssh:<\/p>\n<p>Create the group you will match to and therefore add users to to grant SFTP access:<\/p>\n<blockquote><p># groupadd sftp<\/p><\/blockquote>\n<p>Create a user:<\/p>\n<blockquote><p># useradd -G sftp -d \/into -s \/sbin\/nologin testuser<\/p><\/blockquote>\n<p>Notice the home directory.  This is the logical root location for the user.  Also, note that the shell is nologin to prevent ssh access.<\/p>\n<p>Set the password:<\/p>\n<blockquote><p># passwd testuser<\/p><\/blockquote>\n<p>Make a backup copy of the sshd_config file and make the following changes to the existing file:<\/p>\n<blockquote><p># cp -rp sshd_config sshd_config.orig<br \/>\n# vi sshd_config<br \/>\n&#8230;<br \/>\n# JGZ &#8211; Force to use openssh in-process sftp server<br \/>\n#Subsystem\tsftp\t\/usr\/libexec\/openssh\/sftp-server<br \/>\nSubsystem\tsftp\tinternal-sftp<br \/>\n&#8230;<br \/>\n# JGZ &#8211; Match to group to chroot<br \/>\nMatch Group sftp<br \/>\n\tChrootDirectory \/sftpdir\/%u<br \/>\n\tAllowTCPForwarding no<br \/>\n\tX11Forwarding no<br \/>\n\tForceCommand internal-sftp<br \/>\n&#8230;\n<\/p><\/blockquote>\n<p>Restart the service:<\/p>\n<blockquote><p># service sshd restart<\/p><\/blockquote>\n<p>It is very important that the directory permissions are correct.  Create directories and set permissions:<\/p>\n<blockquote><p># mkdir \/sftpdir<br \/>\n# chmod 755 \/sftpdir<br \/>\n# ls -ld \/sftpdir<br \/>\ndrwxr-xr-x. 3 root root 4096 Feb 27 05:53 \/sftpdir<br \/>\n# mkdir \/sftpdir\/testuser<br \/>\n# chmod 755 \/sftpdir\/testuser<br \/>\n# ls -ld \/sftpdir\/testuser\/<br \/>\ndrwxr-xr-x. 3 root root 4096 Feb 27 14:57 \/sftpdir\/testuser\/<br \/>\n# mkdir \/sftpdir\/testuser\/into<br \/>\n# chown testuser.sftp \/sftpdir\/testuser\/into<br \/>\n# chmod 755 \/sftpdir\/testuser\/into<br \/>\n# ls -ld \/sftpdir\/testuser\/into<br \/>\ndrwxr-xr-x. 2 testuser sftp 4096 Feb 27 15:07 \/sftpdir\/testuser\/into\/<\/p><\/blockquote>\n<p>It should be simple enough to create a script to create new users.  Basically, this what you need:<br \/>\n# useradd -G sftp -d \/intocbb -s \/sbin\/nologin testuser1<br \/>\n# mkdir -p \/home\/testuser1\/incoming<br \/>\n# chown testuser1.sftp incoming\/<br \/>\n# passwd testuser1<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CentOS: 6.6 When setting an SFTP server, you may want to restrict or jail the SFTP users to only one location without restricting all aspects of openssh. This is how I restricted SFTP without impacting all of openssh: Create the group you will match to and therefore add users to to grant SFTP access: # [&#038;hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[40,383,48,389,317],"class_list":["post-1195","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-centos","tag-chroot","tag-linux","tag-sftp","tag-ssh"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1195"}],"version-history":[{"count":6,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1195\/revisions"}],"predecessor-version":[{"id":1790,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1195\/revisions\/1790"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}