Difference between revisions of "Sftp chroot configuration"

From wikieduonline
Jump to navigation Jump to search
Tags: Mobile web edit, Mobile edit
Tags: Mobile web edit, Mobile edit
Line 1: Line 1:
 +
[[OpenSSH 4.9]]+ includes a built-in chroot for SFTP.
 +
  
 
== Configuration ==
 
== Configuration ==

Revision as of 07:06, 21 April 2021

OpenSSH 4.9+ includes a built-in chroot for SFTP.


Configuration



1) Modify Subsystem to internal-sftp

Modify /etc/ssh/sshd_config file
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp


2) Create a user section at the end of the file (ssh can die respawning if placed after Subsystem line)

Match User john
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTCPForwarding no
   X11Forwarding no

Others:

  • %u (User)
  • %h (home directory)


Multiple users:

 Match User USER1,USER2


With double Match rule

Match User john LocalPort 2222 
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTCPForwarding no
   X11Forwarding no

3) Review privileges from ChrootDirectory directory

4) Create a new user account

useradd --create-home USERNAME
su - USERNAME
mkdir -p ~/.ssh
chmod og-rxw ~/.ssh
touch ~/.ssh/authorized_keys && chmod og-rw ~/.ssh/authorized_keys
passwd USERNAME
mkdir -p /path/to/directory/upload
chmod 777 /path/to/directory/upload
Add user on Match section on /etc/ssh/sshd_config file
sshd -t
systemctl restart sshd

Logs

scp error

 protocol error: mtime.sec not present

sshd -T

'Match LocalPort' in configuration but 'lport' not in connection test specification.

See also: LogLevel

Related terms

See also

Advertising: