Difference between revisions of "Sftp chroot configuration"
Jump to navigation
Jump to search
1) Modify
3) Review privileges from
Tags: Mobile web edit, Mobile edit |
Tags: Mobile web edit, Mobile edit |
||
(49 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | [[OpenSSH 4.9]]+ (2008) includes a built-in chroot for SFTP. | |
− | + | == Configuration == | |
+ | * Read ask Ubuntu, How can I chroot sftp-only SSH users into their homes? https://askubuntu.com/a/206376 | ||
+ | |||
+ | |||
+ | |||
+ | === 1) Modify <code>[[Subsystem]]</code> to <code>[[internal-sftp]]</code> === | ||
+ | |||
+ | Modify <code>/etc/ssh/[[sshd_config]]</code> file | ||
#Subsystem sftp /usr/lib/openssh/sftp-server | #Subsystem sftp /usr/lib/openssh/sftp-server | ||
− | Subsystem sftp internal-sftp | + | Subsystem sftp [[internal-sftp]] |
− | 2) | + | === 2) Create a user section at the end of the file (ssh can die respawning if placed after Subsystem line) === |
− | |||
[[Match]] User john | [[Match]] User john | ||
− | ChrootDirectory %h | + | [[ChrootDirectory]] [[%h]] |
− | ForceCommand internal-sftp | + | ForceCommand [[internal-sftp]] |
− | AllowTCPForwarding no | + | [[AllowTCPForwarding]] no |
X11Forwarding no | X11Forwarding no | ||
+ | |||
+ | Others: | ||
+ | * %u (User) | ||
+ | * %h (home directory) | ||
+ | |||
+ | |||
+ | Multiple users: | ||
+ | [[Match]] User USER1,USER2 | ||
+ | |||
Line 25: | Line 40: | ||
X11Forwarding no | X11Forwarding no | ||
+ | === 3) Review privileges from <code>[[ChrootDirectory]]</code> directory === | ||
+ | |||
+ | === 4) [[Create a new user account]] === | ||
+ | [[useradd --create-home]] USERNAME | ||
+ | [[su]] - USERNAME | ||
+ | [[mkdir -p]] ~/[[.ssh]] | ||
+ | [[chmod]] og-rxw [[~]]/.ssh | ||
+ | [[touch]] ~/.ssh/[[authorized_keys]] && [[chmod]] og-rw ~/.ssh/authorized_keys | ||
+ | [[passwd]] USERNAME | ||
+ | |||
+ | [[mkdir -p]] /path/to/directory/upload | ||
+ | chmod 777 /path/to/directory/upload | ||
+ | |||
+ | Add user on [[Match]] section on [[/etc/ssh/sshd_config]] file | ||
+ | |||
+ | [[sshd -t]] | ||
+ | [[systemctl restart sshd]] && [[systemctl status sshd]] | ||
+ | == Logs == | ||
[[scp]] error | [[scp]] error | ||
protocol error: mtime.sec not present | protocol error: mtime.sec not present | ||
Line 32: | Line 65: | ||
'Match LocalPort' in configuration but 'lport' not in connection test specification. | 'Match LocalPort' in configuration but 'lport' not in connection test specification. | ||
+ | See also: <code>[[LogLevel]]</code> | ||
+ | == Related terms == | ||
+ | * <code>[[useradd]] -m USERNAME</code> | ||
+ | * https://wiki.archlinux.org/index.php/SFTP_chroot | ||
== See also == | == See also == |
Latest revision as of 04:41, 27 August 2021
OpenSSH 4.9+ (2008) includes a built-in chroot for SFTP.
Contents
Configuration[edit]
- Read ask Ubuntu, How can I chroot sftp-only SSH users into their homes? https://askubuntu.com/a/206376
1) Modify Subsystem
to internal-sftp
[edit]
Modify /etc/ssh/sshd_config
file
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
2) Create a user section at the end of the file (ssh can die respawning if placed after Subsystem line)[edit]
Match User john ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
Others:
- %u (User)
- %h (home directory)
Multiple users:
Match User USER1,USER2
With double Match rule
Match User john LocalPort 2222 ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
3) Review privileges from ChrootDirectory
directory[edit]
4) Create a new user account[edit]
useradd --create-home USERNAME su - USERNAME mkdir -p ~/.ssh chmod og-rxw ~/.ssh touch ~/.ssh/authorized_keys && chmod og-rw ~/.ssh/authorized_keys passwd USERNAME
mkdir -p /path/to/directory/upload chmod 777 /path/to/directory/upload
Add user on Match section on /etc/ssh/sshd_config file
sshd -t systemctl restart sshd && systemctl status sshd
Logs[edit]
scp error
protocol error: mtime.sec not present
'Match LocalPort' in configuration but 'lport' not in connection test specification.
See also: LogLevel
Related terms[edit]
See also[edit]
Advertising: