I'm trying to set up an SFTP server on AWS that multiple customers can use to upload data securely. It is important that they are not able to see the data of any other customer, and to do that I need to jail the directories with ChrootDirectory in
My sshd_config has the following:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/chroot/ftptest/
AllowTcpForwarding no
ForceCommand internal-sftp
If I comment out the ChrootDirectory line everything works fine, except that you can see all the files on the system. I configured everything based off of the instructions here using vsftpd. I and am using ssh keys to control access to each of the customer accounts, as per Amazon's instructions. I am using the Amazon AMI.
Edit: I changed the chroot directory to /home/chroot/ftptest/ and created directories with the following permissions:
ls -ld / /home /home/chroot /home/chroot/ftptest/
dr-xr-xr-x 25 root root 4096 Feb 23 03:28 /
drwxr-xr-x 6 root root 4096 Feb 23 20:26 /home
drwx--x--x 3 root root 4096 Feb 23 20:27 /home/chroot
drwxr-xr-x 2 ftptest ftptest 4096 Feb 23 20:27 /home/chroot/ftptest/
It's still not working. In /var/log/secure I see
Authentication refused: bad ownership or modes for directory /home/ftptest
even though /home/ftptest isn't the directory I am trying to chroot to. Why would it be throwing an error for that directory? Could this be an issue with the ~/.ssh directory?
Best Answer
The "Match Group" section matches the users UNIX account group, so if ftptest isn't in the group sftponly or it doesn't exist add it:
That should get it working, the problem is that if you add anyone else to that group, they all get the same folder, so if you want one user to get chroot'd, the easy way is to do something like
Now, ftptest connects and get their own folder. If you have lots of users, add them to group sftponly and use this config:
This will give all of them their own sandboxed folders (make sure you mkdir their folder and give it the correct permissions).