How to Specify User Home in SSHD Config

chrootlinuxsftpssh

I have my sftp users chrooted into /var/www and I would like for them to be automatically moved into their directory. I found this answer which helped me a lot: Chroot SFTP – Possible to allow user to write to current (chroot) directory. But I want to move the user into his or her home directory (=/= name of the user) instead (which is a sub-dir of var/www). I tried:

Match Group sftpusers
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /var/www
  ForceCommand internal-sftp -d %h

But I get fatal: percent_expand: unknown key %h [postauth].

EDIT: I found that %d is the user directory but it doesn't seem to work because it is looking for it based on /var/www.

Best Answer

As I understand it, the problem you're facing is that the internal-sftp call is happening after the chroot is in place, thus the %h (as well as the attempted %d) is being expanded within the chroot. Even though your users live in /var/www/$USERNAME, using %d will naturally instruct internal-sftp to run out of /var/www/var/www/$USERNAME.

%u should work around this issue:

Match Group sftpusers
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /var/www
  ForceCommand internal-sftp -d /%u

Thus will tell internal-sftp to run out of a directory called /$USERNAME. Since this call is happening after the chroot is established, it should dereference to /var/www/$USERNAME outside of the chroot.

As discussed in the comments, since your usernames and homedir names are divergent, a workaround would be to use the above config, then create a /var/www/USERNAME for each user and bind mount /var/www/USERNAME to /var/www/CURRENT_HOMEDIR_NAME, like so: mkdir /var/www/USERNAME; mount -o bind /var/www/USERNAME /var/www/CURRENT_HOMEDIR_NAME.

Now you'll have two directories under /var/www for each username, but one will simply point to the other - internal-sftp will then work as expected and whatever you have that needs to access the homedirs as /var/www/CURRENT_NAME won't break.

Related Solutions

Ssh – How to setup a public rsync and sftp server

for the sftp part you might look at the directives Subsystem sftp internal-sftp together with ChrootDirectory in the sshd_config.

Centos – Allow external provider to access Webfolder in CentOS. (Option SFTP)

I finally used SFTP to solve the mentioned problem. The main issues where the file permissions. I did the following steps (running CentOS 7.2):

Folder Permissions Following file permissions where set. Including the sticky bit (explained after the code).

sudo find /var/www/html/ -type f -exec chmod 664 {} \;
sudo find /var/www/html/ -type d -exec chmod 775 {} \;
sudo find /var/www/html/ -type d -exec chmod g+s {} \; # Set SGID in order to keep group for newly created files
sudo chown -R apache:webmasters /var/www/html/website/data/ # As data directory must be writable by apache
chown root:root /var/www/

Create Group and Users

Create user for external provider and set new password.

groupadd webmasters
useradd -g webmasters -d /var/www/ -s /sbin/nologin externalProvider
passwd externalProvider

Setup sftp-server Subsystem in sshd_config

vim /etc/ssh/sshd_config

Outcomment existing Subsystem and and add:

Subsystem       sftp    internal-sftp

Add add the end of sshd_config

Match Group sftpusers
       Match Group webmasters
        ChrootDirectory /var/www/
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

Restart sshd service

systemctl restart sshd

Login via SFTP to test the connection

sftp externalProvider@hostname

Security

SELinux is enforcing and was never en issue concerning this SFTP setup.

Best Answer

Related Solutions

Ssh – How to setup a public rsync and sftp server

Centos – Allow external provider to access Webfolder in CentOS. (Option SFTP)

Related Topic