Centos 6 SFTP chroot Jail

Centos 6 SFTP chroot Jail

User and Group setup

First you will want to establish the sftponly group

groupadd sftponly

Then create the user with the correct home directories and group

useradd -d /var/www/vhosts/bob -s /bin/false -G sftponly bob

Don’t forget at this point to also add password to these new accounts.

SSHd configuration changes

Now we need to make changes in /etc/ssh/sshd_config to enable SFTP chroot jails in SSH.

Comment out the following line in /etc/ssh/sshd_config:

Subsystem sftp /usr/lib/openssh/sftp-server

and replace it with this line:

Subsystem sftp internal-sftp

Then add the following set of lines to the very bottom of the file:

Match Group sftponly

ChrootDirectory /var/www/vhosts/%u

X11Forwarding no

AllowTCPForwarding no

ForceCommand internal-sftp

This creates a special login group that then chroot jailed all users in that group into their own home directory.

Once these file changes are saved you will need to restart SSHd for the changes to take effect, using the following command:

service sshd restart

Permissions cleanup and testing

Last issue to address is the permissions settings, for this example the directories /var/www/vhosts/bob and /var/www/vhosts/ted should both be owned by root. The directory /var/www/vhosts/ted/site1 should be owned by ted and the directory /var/www/vhosts/bob/site1 should be owned by bob.

chown root /var/www/vhosts/bob
ls -la
chmod go-w /var/www/vhosts/bob
chown bob:sftponly /var/www/vhosts/bob/fileupload/
chown bob:sftponly /opt/app/vhosts/rbc/writable/
chown bob:sftponly /opt/app/vhosts/rbc/codeupload/
chmod ug+rwx codeupload fileupload writable

tail -f /var/log/secure
tail -f /var/log/audit/audit.log