DotNux – Unix/Linux Technical Mini Howto

June 30, 2009

“jail” sftp (OpenSSH based) to user’s home directory using ChrootDirectory option on Centos 5

Filed under: Centos 5 — Tags: , — admin @ 3:07 pm

You probably do not want to open FTP as it’s insecure, and open up SFTP, for example, you want your dreamweaver users’ SFTP option.  But, the problem here is that, SFTP uses SSH, which will give entire Linux / directory.  You want to disable SSH shell access, but, enable SFTP to their home directory only.
dreamweaver_sftp

First, you need latest version of OpenSSH (5.2 at this moment) for ChrootDirectory option to work.

If you try # yum install openssh, and it may give option of 4.2 only, then, you have to install OpenSSH 5.2 manually.
See this post on how to install OpenSSH 5.2 yourself.

Now that you have at least OpenSSH 5.2, let’s modify /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

# comment this line below
#Subsystem sftp /usr/libexec/openssh/sftp-server

# add these lines

Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

save it, and execute: (username is the user name of the account that you want to give sftp access)

# groupadd sftp
# useradd username
# passwd username
(set the password of user)
# usermod -d / username
# usermod -g sftp username
(user must have a group of 'sftp')
# chown root.root /home/username

Voila! Try to connect your server via SFTP, and it works indeed.

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URL

Sorry, the comment form is closed at this time.

Powered by WordPress