Usual warning
This article is written for Ubuntu Intrepid 8.10 and should work for Linux distributions running OpenSSH 4.9 or greater. No responsibility is taken for data loss. You know the score - take backups and try it out of a test server if possible.
Create an sftp group
First we need to create an sftp group. This group will hold users who we want to chroot.
1
| |
This group is used in the ssh config file so in future we can easily add more users if we want to.
Create a user
Now we create a user that we want to have sftp access only. This user won’t be able to login on a standard ssh login but will be able to login using sftp to transfer files. Replace user with whatever you wish. Set the home directory (in this case /var/www/vhosts/theirsite.com) to the folder you want the user to have access to.
1
| |
Now set a password for the user:
1
| |
Change the user’s primary group to the sftp group we just created
1
| |
Then we need to set the user’s shell to /bin/false
1
| |
Configuring OpenSSH
Now we need to configure OpenSSH.
1
| |
Change the Subsystem:
1
| |
At the bottom of the file add
1
| |
Correct permissions
OpenSSH is sensitive to permissions so you need to make sure permissions are correct.
My vhost layout is:
1
| |
The important thing here is that the folder theirsite.com must be owned by root and in the root group. Providing you want to allow write access everything else must be owned by the user and in the sftp group. You could of course set custom permissions on sub-folders as you wish.
1
| |
In order for jailing to work correctly every folder above the theirsite.com directory must also be owned by root and in the root group. In this case this means the following folders.
1
| |
If these folders are not owned by root and in the root group the user login will fail.
So that’s it the user should be able to login using sftp and you should have an extensible chrooted SFTP system.