Search Posts on Binpipe Blog

Restrict Users to Home Directory : Chroot Jail for SFTP Users

We often need to restrict users to their home directories. Here we discuss an easy way to setup jailed SFTP users on CentOS 5.x. Haven't yet tried this on CentOS 6.0, but this should work there too. The only thing is to ensure that the OpenSSH Version is 5.x and not 4.x.

So, the most important step is the first step – upgrading OpenSSH to version 5.x. Version 4.x of OpenSSH which is included in CentOS is missing the necessary functions to “chroot” the users (i.e. set their root directory when they login) so that they can only view files that are under their virtual root directory. Once upgraded, it’s just a few lines of config changes and some basic user setup and you’re good to go. Feel free to ask in comments for help if you get stuck.

1. Upgrade to OpenSSH 5.x

## fetch the packages - 64-bit system  wget  wget  wget

- or -

## fetch the packages - 32-bit system  wget  wget  wget


## upgrade OpenSSH  rpm -Uvh openssh-*

2. Comment out the following line in ‘/etc/ssh/sshd_config’

Subsystem     sftp     /usr/libexec/openssh/sftp-server

3. Append these lines to the end of ‘/etc/ssh/sshd_config’

Subsystem     sftp     internal-sftp  Match Group sftponly      ChrootDirectory /home/%u      ForceCommand internal-sftp      AllowTcpForwarding no

4. Add the ‘sftponly’ user group

groupadd sftponly

5. Modify the user’s group and shell

usermod -g sftponly jsmith  usermod -s /bin/false jsmith

6. Set the proper filesystem permissions

(John Smiths’s home directory is /home/jsmith and his website is in /home/jsmith/public_html)

chmod 755 /home/jsmith/  chmod 755 /home/jsmith  chown root:root /home/jsmith  chown jsmith:sftponly /home/jsmith/public_html

7. Restart the SSHD daemon

/etc/init.d/sshd restart


No comments:

Post a Comment

Hi, Leave a comment here and one of the binary piper's will reply soon :)