H's Blog A good shell is the best user interface.

17Dec/110

SFTP using ChrootDirectory

In newer releases of OpenSSH it's almost as easy as with ProFTPD's DefaultRoot to restrict a user to the home folder. You no longer need to setup a chroot-Environment including copies/links to essential libraries etc.

In Debian/Ubuntu just apply a few changes to /etc/ssh/sshd_config:

  • Create a group (e.g. by addgroup restricted), that will contain the users subject to the restriction to their home folders.
  • Change the following line for the sftp protocol:
    Subsystem sftp internal-sftp
  • Add a section that matches the group and adds restriction to sftp in the home folder:
    Match group restricted
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

The permissions on the home folder path are critical, don't grant to much permissions to other (non-root) users and watch out for corresponding messages in /var/log/auth.log, if sftp does not work.

Tagged as: , , Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

(required)

 

No trackbacks yet.

» «

IPv6 detector

Still using IPv4? 38.107.179.211 Show stats

Ad

Tags

3G Android Apple iBook G4 Asterisk Asus Buffalo Cacti CynogenMod DD-WRT Debian ffmpeg firmware IPv6 Java Linux mencoder Milestone monitoring Motorola MPEG-PS MPEG4 MySQL nagios Network oplay PHP Postfix release RRDTool snmp SourceForge Squeeze ssh tftp tunnel Ubuntu Ubuntu Lucid UMTS VDR vmware VoIP WordPress Zero Zero Agent ZeroD

Link

Recent Comments

Pages

Categories