sftp chroot
發表於 : 2014-03-11 10:04:02
http://www.serverubuntu.it/SFTP-chroot
Chroot SFTP users with OpenSSH
OpenSSH configuration
You need to edit the file /etc/ssh/sshd_config and configure OpenSSH to use its internal SFTP subsystem; this is needed to simplify the Chroot creation (we will not need to copy additional libraries inside the Chroot). Just add at the end of the file the following statements:
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
of course you can customize the ChrootDirectory value to match the users home folder path, in this case is just set to "%h" which is a placeholder that get's replaced at run-time with the home folder path. Now just restart OpenSSH:
sudo /etc/init.d/ssh restart
User creation
Just create an user as you normally would, then you just change the ownership of his home directory, disable shell access and add the user to the sftp group to match the previous sshd_config configuration.
sudo useradd myuser
sudo passwd myuser
sudo usermod -s /bin/false myuser
sudo usermod -d /var/www/myuserhome myuser
sudo chown root.root /var/www/myuser
sudo addgroup sftp
sudo adduser myuser sftp
Take special care on the owner and permission along the entire path structure, all the folder must be owned by "root:root" and with 755 permissions. For instance:
chown root:root /var /var/www /var/www/myuser
chmod 755 /var /var/www /var/www/myuser
If your users are uploading files that need to be read by the www-data user remember also to put www-data in the appropriate group:
sudo adduser www-data myuser
Don't forget to check file permission, groups, etc.. and to test everything out from an SFTP client and you should already be good to go.
Chroot SFTP users with OpenSSH
OpenSSH configuration
You need to edit the file /etc/ssh/sshd_config and configure OpenSSH to use its internal SFTP subsystem; this is needed to simplify the Chroot creation (we will not need to copy additional libraries inside the Chroot). Just add at the end of the file the following statements:
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
of course you can customize the ChrootDirectory value to match the users home folder path, in this case is just set to "%h" which is a placeholder that get's replaced at run-time with the home folder path. Now just restart OpenSSH:
sudo /etc/init.d/ssh restart
User creation
Just create an user as you normally would, then you just change the ownership of his home directory, disable shell access and add the user to the sftp group to match the previous sshd_config configuration.
sudo useradd myuser
sudo passwd myuser
sudo usermod -s /bin/false myuser
sudo usermod -d /var/www/myuserhome myuser
sudo chown root.root /var/www/myuser
sudo addgroup sftp
sudo adduser myuser sftp
Take special care on the owner and permission along the entire path structure, all the folder must be owned by "root:root" and with 755 permissions. For instance:
chown root:root /var /var/www /var/www/myuser
chmod 755 /var /var/www /var/www/myuser
If your users are uploading files that need to be read by the www-data user remember also to put www-data in the appropriate group:
sudo adduser www-data myuser
Don't forget to check file permission, groups, etc.. and to test everything out from an SFTP client and you should already be good to go.