Restricting SFTP users with chrooted access
The scope of this post decribes how to give users chrooted SFTP access to your system. In a nutshell your users will be tied-down in a specific directory which they will not be able to move out from, thus preventing then from seeing you entire system.
Whilst this works happily in my lab environment, I do not issue any guarantee that this will work for you!
Enabling SFTP is very easy to do, simply open /etc/ssh/sshd_config...
# vi /etc/ssh/ssh_config
...replace:
Subsystem sftp
with:
Subsystem sftp internal-sftp
Then at the end of the configuration file, add the following lines for each user you want to chroot:
For a given user, use:
Match User mchurchi ChrootDirectory /home AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
Instead of adding a entry for each user, you can also chroot groups, for example:
For a given group, use:
Match Group sftp-only ChrootDirectory /home AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
This would chroot all members of the sftp-only group to the /home directorey
NOTE: Don't forget to add the individiual isers to the sftp-only group in /etc/group
.
If you chroot multiple users to the same directory, but don't want users to browse the home directories of the other users, you can change the permissions of each home directory, for example:
chmod 0700 /home/mchurchi
Restart SSH
/etc/init.d/ssh restart
Afterwards you users can log in with there favourite SFTP client
NOTE: At this point the users/groups that we have specified in /etc/ssh/sshd_config will only have SFTP access. SSH will not work for these users because an SSH chroot environment needs additional files to work (and because we use ForceCommand internal-sftp). See my other post on restricting ssh users with chrooted access