Spyderserve Web Development

Lock an sFTP user to a specific directory on CentOS

Gary Kuhlmann - December 13, 2015

Linux

I run into the need to give users access to a specific directory to create and update files for a website or other reason.  I don’t like using ftp because of the plain text password issue so I prefer sftp.  sftp is nice because everything is encrypted and secure but it uses ssh which, if you user is in anyway tech savy, could give the user at least read access to major parts of my server.  This is where chroot comes in.  This setup will “lock” the user to a specific directory (in this case the users set home directory) and I have also added a step to prevent direct ssh access to the server.

1. Edit the /etc/ssh/sshd_config file:

replace:

Subsystem      sftp    /usr/libexec/openssh/sftp-server

With:

Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

2. Add the sftponly group.  Any user added to the group will be limited to only their home directory.

groupadd sftponly

3. Create the needed user and assign the group

useradd [username]
usermod -g sftponly [username]

4. Then change the user’s environment to something other than bash (this prevents the user from logging in using ssh):

usermod -s /bin/false [username]

5. Then set the user’s home desired home directory (this will be the directory that the user is confined to):

usermod -d [path to directory] [username]

6. Restart ssh to apply the changes to the sshd_config file:

service sshd restart

All done, maybe.  A few things to remember.  The root user needs to have ownership of every directory leading up to and including the chroot directory and the permissions need to be set so only the root user has write access (755 or tighter).  This will cause the user being setup not to have write privileges to the directory in question so instead, a sub-directory will need to be used.

If you want the user to be able to use a private/public key pair to access the server then a .ssh directory can be setup in the user’s home directory and the same permission rules apply.

Source: https://bensmann.no/restrict-sftp-users-to-home-folder/

This website uses cookies to improve your browsing experience. Cookies help us remember your preferences, keep you logged in, and understand how you interact with our site. We do not share any personal information collected by cookies with third parties.

Dismiss

Spyderserve  2225 Bemiss Road Suite D Valdosta, Georgia 31602 United States