Ssh – set up a chrooted SFTP login with OpenSSH

chrootjailsftpssh

How might I create an SFTP login for an untrusted user in which he can only access the files in his own home directory and not run any commands?

The online tutorial OpenSSH SFTP chroot() with ChrootDirectory is almost exactly what I need, except I'd like for the user to see his home directory as /home/user, rather than simply /.

Any help would be much appreciated.

Best Answer

scponly is a hack. The built-in sftp-server with chroot was meant to address this need properly.

Ben, why do you want them to see their home as /home/user? Doesn't that kind of defeat the purpose of a chroot? Is it just pwd output that you're looking for to reflect their location?

Or is it so they can use full paths in a script? I think you could symlink /home/user/home/user to /home/user for those purposes.

Related Solutions

Centos – the easiest and cleanest way to create a chrooted SFTP on Centos 5.4

I've found the following solution:

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz.asc
# wget  -O- http://ftp.bit.nl/mirror/openssh/DJM-GPG-KEY.asc | gpg –-import
# gpg openssh-5.2p1.tar.gz.asc
gpg: Signature made Mon 23 Feb 2009 01:18:28 AM CET using DSA key ID 86FF9C48
gpg: Good signature from “Damien Miller (Personal Key) ”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48
# tar zxvf openssh-5.2p1.tar.gz
# cp openssh-5.2p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe ’s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ > openssh.spec
# (I found this didn't work and I had to manually disable the two lines for gnome and x11 askpass by changing the 0 to 1)
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# ls -l
-rw-r–r– 1 root root 275808 Feb 27 08:08 openssh-5.2p1-1.x86_64.rpm
-rw-r–r– 1 root root 439875 Feb 27 08:08
openssh-clients-5.2p1-1.x86_64.rpm
-rw-r–r– 1 root root 277714 Feb 27 08:08
openssh-server-5.2p1-1.x86_64.rpm
# rpm -Uvh openssh*rpm
Preparing… ########################################### [100%]
1:openssh ########################################### [ 33%]
2:openssh-clients ########################################### [ 67%]
3:openssh-server ########################################### [100%]
# service sshd restart

Ssh – OpenSSH SFTP: chrooted user with access to other chrooted users’ files

Create a new home directory, such as /chroothome.

Have all users home directories live within that chroothome.

chroot adminuser to /chroothome.

For everything else, just use filesystem permissions.

As far as your "bonus question," it isn't possible using native functionality. The inability for the chroot user to write to the root directory is a security mechanism by design. Of course, you can always modify the source code.

Nevertheless, I suspect you could specify the user's home directory as /user1 and have the working directory at login be the one they could write to.

Best Answer

Related Solutions

Centos – the easiest and cleanest way to create a chrooted SFTP on Centos 5.4

Ssh – OpenSSH SFTP: chrooted user with access to other chrooted users’ files

Related Topic