SFTP (SSH) chroot

oldbag · 29 Mar 2013 at 14:40

All,

Do you know how to chroot users to home-dirs using sftp?

Like user bob is forced into /home/bob and can't get anywhere else on the box and user jim is forced into /home/jim

I know you can force all users to one chroot, but what about separate ones?

Cheers.

Deleted member 77746 · 29 Mar 2013 at 14:46

Not sure what you are talking about as them are users home directories.

Are you on about a web server or network logins on a directory server or something like that?

oldbag · 29 Mar 2013 at 14:48

Yeah, this is a unix box. Normally with FTP you can force people to only see their home directories when they FTP and they can't browse the rest of the file system.

Deleted member 77746 · 29 Mar 2013 at 14:55

oldbag said:
Yeah, this is a unix box. Normally with FTP you can force people to only see their home directories when they FTP and they can't browse the rest of the file system.

I get you! I'm guessing you would have to allow that user to see the rest of the root files but how I don't know. I'm not even sure if that would be safe as that is the whole point of the root user.

Hutchy · 29 Mar 2013 at 14:57

You can use jailkit to achieve this but it's pretty fiddly to get up and running!

http://www.marthijnvandenheuvel.com/2010/03/10/how-to-create-a-chroot-ssh-user-in-ubuntu/

oldbag · 29 Mar 2013 at 15:02

Ahh, apparently you can do:

Match user anonsftp
ForceCommand internal-sftp -R
ChrootDirectory /chroot/home
PermitEmptyPasswords yes
PasswordAuthentication yes
AllowAgentForwaring no
AllowTcpForwarding no
X11Forwarding no

In /etc/sshd/sshd_config

memyselfandi · 29 Mar 2013 at 22:21

The above would chroot the user anonsftp into a chroot directory of /chroot/home so you'd need a separate stanza for each user.

What you can do is do the match against a group, say sftponly, and put all the users into that group. You then use a %u (from memory) in the ChrootDirectory variable to substitute the username into the path, e.g. /chroot/home/%u

The problem you get though is that if you have a user john with a chrooted home sftp directory of /chroot/home/john then john will be able to write to any directories created under the john directory, with the appropriate permissions, but not the chrooted home directory itself as that needs to be owned by root and have permissions of 0600 for the chroot to work. At least that's the case with RHEL.

(I would note that this can vary a bit from distribution to distribution or OS to OS and has been broken from time to time on various platforms so ymmv)

Carter · 31 Mar 2013 at 12:46

I followed this guide sometime last year to set it up on Mint Debian.

http://blog.famzah.net/2011/02/03/secure-chroot-remote-file-access-via-sftp-and-ssh/

oldbag · 31 Mar 2013 at 13:07

Cheers guys.