sftp in a chroot jail using openssh

For years I have used ssh, rsync and sftp to move files over the net safely encrypted.

Here is how to create a small group of users on Ubuntu 10.04.3 LTS that have SFTP access but only within a single folder "chroot".

The client:
simple, my favorite is: FileZilla

The Server:
The example below, worked for me on Ubuntu 10.04.3 LTS:

# vi /etc/ssh/sshd_config


#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match group sftponly
         ChrootDirectory /sftp
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp


Group, Folder, Restart commands:
# groupadd sftponly
# mkdir /sftp
# mkdir /sftp/home
# service ssh restart


Note about folders:
In your /etc/passwd the home folder will be /home/UserName, yet, because of the chroot, when you sftp, the client will still show /home/UserName but on the physical disk in the server, the files will really be in /sftp/home/UserName

Adding users:
# useradd -b /home -M -N -g sftponly -s /bin/false UserName
# mkdir /sftp/home/UserName
# chown UserName:sftponly UserName
# passwd UserName

Generating Keys:
# mkdir /sftp/home/UserName/.ssh
# ssh-keygen -t rsa
Enter file in which to save the key:
/sftp/home/UserName/.ssh/id_rsa
# cat /sftp/home/UserName/.ssh/id_rsa.pub > /sftp/home/UserName/.ssh/authorized_keys

Removing Users:
# userdel -r UserName
# rm -rf /sftp/home/UserName

References:
http://wiki.gilug.org/index.php/How_to_mount_SFTP_accesses
https://help.ubuntu.com/10.04/serverguide/C/openssh-server.html
http://www.debian-administration.org/articles/590
Labels:

1 comment:

Unknown said...

A domain name has changed for Lapipaplena. Please update the link for:
http://wiki.gilug.org/index.php/How_to_mount_SFTP_accesses

October 30, 2012 at 3:09 AM

Post a Comment

Subscribe to: Post Comments (Atom)