Centos 6 SFTP chroot Jail
User and Group setup
First you will want to establish the sftponly group
groupadd sftponly
Then create the user with the correct home directories and group
useradd -d /var/www/vhosts/bob -s /bin/false -G sftponly bob
Don’t forget at this point to also add password to these new accounts.
SSHd configuration changes
Now we need to make changes in /etc/ssh/sshd_config to enable SFTP chroot jails in SSH.
Comment out the following line in /etc/ssh/sshd_config:
Subsystem sftp /usr/lib/openssh/sftp-server
and replace it with this line:
Subsystem sftp internal-sftp
Then add the following set of lines to the very bottom of the file:
Match Group sftponly
ChrootDirectory /var/www/vhosts/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
This creates a special login group that then chroot jailed all users in that group into their own home directory.
Once these file changes are saved you will need to restart SSHd for the changes to take effect, using the following command:
service sshd restart
Permissions cleanup and testing
Last issue to address is the permissions settings, for this example the directories /var/www/vhosts/bob and /var/www/vhosts/ted should both be owned by root. The directory /var/www/vhosts/ted/site1 should be owned by ted and the directory /var/www/vhosts/bob/site1 should be owned by bob.
chown root /var/www/vhosts/bob
ls -la
chmod go-w /var/www/vhosts/bob
chown bob:sftponly /var/www/vhosts/bob/fileupload/
chown bob:sftponly /opt/app/vhosts/rbc/writable/
chown bob:sftponly /opt/app/vhosts/rbc/codeupload/
chmod ug+rwx codeupload fileupload writable
tail -f /var/log/secure
tail -f /var/log/audit/audit.log
Recent Comments