I've set up a SFTP server using OpenSSH, everything works fine and the users I created can connect.
After authentication, the users find themselves directly inside /chroot
, a directory they are not allowed to write into. So I've put a /subdirectory
into /chroot
they have write access to (inspired by this blog post) which works fine as well.
However, due to the nature of the project I'm working on, users should find themselves directly in a folder they are allowed to write into after authentication. Forwarding them into the /chroot/subdirectory
might be the best solution but I've found no resource explaining how to achieve that.
Can it be done? How?
Best Answer
[EDIT] Yes I believe it is possible, but I also believe not with openssh:
Here is how I chroot sftp using openssh:
I put sftp users in a special group
sftponly
which is identified in thesshd_config
file. I make sure sftp users have no shell (so they can't log in with ssh) and use the.%h
environment variable to force them into a sftp chroot subdir named after their home directory using theChrootDirectory
directive. Other environment variables interpreted by sshd_config are documented in the sshd_conf man page like so:Here is a copy of my notes for achieving this on OpenBSD, if you use a different system the
.%h
environment variable may of course differ:[EDIT part 2] However, the sshd_conf man page also specifies that:
So the chroot directory path, including the part specified by variable expansion, is expected and tested for by sshd to be owned and writable exclusively by root. Therefore, a user of an openssh sftp chrooted service needs writable subdirectories to be able to write to the home directory.
I believe this is not a requirement with all ssh servers however. We also use Tectia where I observe that users are able to write to their respective root directories. However we run it only where Windows is a requirement, so regrettably I cannot readily test the corresponding *nix configuration. The Tectia sftp chrooting support page does not explicitly specify that the user home needs to be owned by root in a Unix environment. I would therefore guess that with Tectia this is not a requirement but that the ownership of a chrooted user home rootdir may be that of the actual user.