Hi,
Chrooting sftp users will allow you to 'hide' the parts of the file system that they do not need access to, or rather, to deny them access to everything and then select what you want them to be able to access. This has obvious security benefits if done correctly. wikipedia chroot.
After spending many hours trying (and failing) to get scponlyc to work on a 64bit system i found that openssh allows you to chroot users by adding just 4 lines into your sshd config file, creating a group for sftp only users and changing a few permissions.
Required packages: openSSH version 4.9 or greater (at the time of writing 5.1 is in use), so if your using Intrepid (8.10) or newer then you should be fine.
Parts one and two will only take a few minutes, the time required for part 3 is Dependant on how you want to set everything up.
Part one, editing your sshd config file:
1. Backup your sshd config file
Code:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.sftpmod
2. Open your sshd config file in your favorite editor (i use nano, you might use kate or gedit)
Code:
sudo nano /etc/ssh/sshd_config
3. Change the following line (near the end of the file)
Code:
Subsystem sftp /usr/lib/openssh/sftp-server
to
Code:
Subsystem sftp internal-sftp
4. Add the following to the very end of your sshd config (MUST be at the end of the file).
Code:
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
5. You will need to restart you ssh server for the changes to take effect (be careful, this will disconnect any logged in users)
Code:
sudo /etc/init.d/ssh restart
6. if you get the following message move on to part two
Code:
* Restarting OpenBSD Secure Shell server sshd [ OK ]
If you have made any mistakes in the the sshd_config file then your ssh server might not start until you correct them (and certainly won't do what you want it to until you fix them), you can restore the backup with the following command
[CODE]sudo cp /etc/ssh/sshd_config.backup.sftpmod /etc/ssh/sshd_config
Part two, creating and adding users to the sftp group
1. Create the group 'sftponly'
Code:
sudo groupadd sftponly
2. Create a new user (even if you want to do this to existing users i would recommend you create a test user first)
Code:
useradd -m username
3. Add the new user to the sftponly group (or add existing users, again please use a test user first!)
Code:
sudo usermod -g sftponly username
4. Remove the new users shell access
Code:
sudo usermod -s /bin/false username
5. Change the ownership/group of the users home directory to root:root (required or the ssh server will disconnect them)
Code:
sudo chown root:root /home/username
6. Unless we change the users home directory to '/' or create '/home/username' inside the chroot they will be unable to login! i would suggest you opt for creating a the home directory inside the chroot as you can also make it writable for them.
Create the 'fake' home directory
Code:
sudo mkdir -p /home/username/home/username
Make the user the owner of their fake home directory
Code:
sudo chown username:username /home/username/home/username
Part 3, Adding access to specific directories
This section has deliberately been left blank, i am not confident enough in my understanding of file permissions to write this as a step by step guide (anyone else in the same situation copying and pasting my commands could end up with improperly set privileges), if someone else believes they do have a decent understand of how to do this then post below and i will add it in (giving credit and linking to the post in the list of contributors at the end of this guide).
I will however, give some hints at how it might be done. You can mount other directories inside the chrooted home directory with the following.
Code:
mount -o bind /some/directory/ /home/username/somewhere
You should be very careful with this though, as you need to set permissions correctly (and perhaps mount it read-only if suitable), you could also create a directory common to a group of sftp users (ie a uploads directory), for this to remain after a reboot you will have to edit your fstab.
Contributors
- albinootje
- Ubuntu release versions this should work on. Link
- Providing a link to another guide suggesting /home/%u instead of %h for the chroot in sshd_config which makes it easier to drop the user into a writable directory inside the chroot (and prevents chrooting to the wrong directory by getting the location of home wrong). Link
- You, if you know anything that would be helpful to anyone reading this guide!
Bookmarks