Sftp chroot configuration

From wikieduonline
Jump to navigation Jump to search

OpenSSH 4.9+ (2008) includes a built-in chroot for SFTP.


Configuration[edit]



1) Modify Subsystem to internal-sftp[edit]

Modify /etc/ssh/sshd_config file
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp


2) Create a user section at the end of the file (ssh can die respawning if placed after Subsystem line)[edit]

Match User john
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTCPForwarding no
   X11Forwarding no

Others:

  • %u (User)
  • %h (home directory)


Multiple users:

 Match User USER1,USER2


With double Match rule

Match User john LocalPort 2222 
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTCPForwarding no
   X11Forwarding no

3) Review privileges from ChrootDirectory directory[edit]

4) Create a new user account[edit]

useradd --create-home USERNAME
su - USERNAME
mkdir -p ~/.ssh
chmod og-rxw ~/.ssh
touch ~/.ssh/authorized_keys && chmod og-rw ~/.ssh/authorized_keys
passwd USERNAME
mkdir -p /path/to/directory/upload
chmod 777 /path/to/directory/upload
Add user on Match section on /etc/ssh/sshd_config file
sshd -t
systemctl restart sshd && systemctl status sshd

Logs[edit]

scp error

 protocol error: mtime.sec not present

sshd -T

'Match LocalPort' in configuration but 'lport' not in connection test specification.

See also: LogLevel

Related terms[edit]

See also[edit]

Advertising: