Please follow the steps
1) Define a group of which members will be chrooted:
This is a standard Linux group assignment. The group name is user definable.
Define a group: groupadd sftpusers
Groups are defined in the file /etc/group
2) Add users to the group and deny users shell access:
A non-working shell can be assigned to a user to prevent shell access. Linux includes two shells for this purpose:
/sbin/nologin
/bin/false
User accounts can be modified after creation: usermod -s /bin/false -g sftpusers
The shell can be assigned to a user upon user account creation: useradd -s /bin/false -G sftpusers userid
The user group and shell assignment can be edited in the file /etc/passwd:
From: user1:x:1000:1000:George,,,:/home/user1:/bin/bash
To: user1:x:1000:1002:George,,,:/home/user1:/bin/false
3) Create user home directories:
The typical user home directory is /home/userid
The use of chroot requires a new root which is not "/". In this configuration we will use /home/sftpusers. All user home directories will have their true physical paths added to the rooted path at /home/sftpusers. Thus the true physical paths will be /home/sftpusers/home/userid but will appear to the user to be at /home/userid
The user "root" must own the rooted directory: chown root.root /home/sftpusers
The user "root" should own the rooted home directory: chown root.root /home/sftpusers/home
The user will own their home path: chown userid.sftpusers -R /home/sftpusers/home/userid
Set appropriate permissions: chmod 755 /home/sftpusers/home/userid/
Tip: Set SELinux rules on home directory: setsebool -P ssh_chroot_rw_homedirs on
4) SSH daemon configuration to chroot a user group:
Edit the sshd configuration file: /etc/ssh/sshd_config
(partial file shown)
Quote:
#UsePAM no
UsePAM yes
UsePrivilegeSeparation yes
StrictModes yes
PermitEmptyPasswords no
# change default
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /home/sftpusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
|
[Potential Pitfall]: You may get the following error:
[user1]$ sftp
user1@sftp.megacorp.com
Connecting to 192.121.121.1...
user1@sftp.megacorp.com's password:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
This is typically due to a miss-configuration: Note that sshd will reject sftp connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd doesn't consider secure.
[Potential Pitfall]: You may get the following error:
sftp> put example.sql
Uploading example.sql to /home/user1/example.sql
Couldn't get handle: Permission denied
This is typically due to a directory permissions problem:
/home/sftpusers - owned by root. This will be chrooted.
/home/sftpusers/home - owned by root.
/home/sftpusers/home/user1 - owned by user
After sshd has chrooted to the ChrootDirectory, it will chdir to the home directory as normal.
Chrooting individual users:
Example sshd configuration file: /etc/ssh/sshd_config
(partial file shown)
Quote:
#UsePAM no
UsePAM yesUsePrivilegeSeparation yes
StrictModes yes
PermitEmptyPasswords no
Subsystem sftp internal-sftp
Match User userx
ChrootDirectory /home/sftpusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
|