SFTP-Chroots
Yet another little reminder for me on how do to chroots in sftp (so an user does not see /bin, /home, and other internals/user directories – say in webhosting):
In my example, my users should get a direcotry in /srv/sftp/
.
Create a new group, I'll call it sftponly
:
groupadd sftponly
Create 2 users, "alice" and "bob", if you haven't already created them (Note, that we give them no shell access here, by setting their shell to /bin/false
):
useradd -s /bin/false alice
useradd -s /bin/false bob
Set their passwords:
passwd alice
passwd bob
Add them to the sftponly
group (you could have done this while creating them as well):
usermod alice -A sftponly
usermod bob -A sftponly
Create folders for alice and bob:
cd /srv/sftp
mkdir /srv/sftp/alice
chown alice /srv/sftp/alice
chmod 700 /srv/sftp/alice
mkdir /srv/sftp/bob
chown bob /srv/sfpt/bob
chmod 700 /srv/sftp/bob
Set ownership of /srv/sftp/
to root:sftponly
with rwxr-x--
permissions, this is necessary for this to work, otherwise something like this will pop up in your syslog: fatal: bad ownership or modes for chroot directory "/srv/sftp"
:
chown root:sftponly /srv/sftp
chmod 750 /srv/sftp
Prepare /etc/ssh/sshd_config
:
#Subsystem sftp /usr/lib64/ssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory /srv/sftp
X11Forwarding no
AllowTcpForwarding no
Restart the ssh-server:
systemctl restart sshd.service
And that's it. If alice or bob log in now, they should only see two directories, alice
and bob
, and nothing else.