Hopefully you guys can help and see if I've done something weird here, I'm trying to log in with a user I set up, FileZilla shows me:
Command: open "///@///" Command: Pass: ********
Status: Connected to ///
Error: Connection closed by server with exitcode 1
Error: Could not connect to server
So, I went into auth.log and I see this:
Feb 12 11:08:49 sshd[12056]: Accepted password for /// from /// port /// ssh2
Feb 12 11:08:49 sshd[12056]: pam_unix(sshd:session): session opened for user /// by (uid=0)
Feb 12 11:08:50 sshd[12164]: subsystem request for sftp by user ///
Feb 12 11:08:50 sshd[12056]: pam_unix(sshd:session): session closed for user ///
This is the passwd entry for the user in question:
///:x:666:666:///,,,:/chroot:/usr/bin/rssh
If I try running rssh myself, I get Allowed commands: sftp
so it seems to be set up correctly. As for the folder I've set as the home folder, it's owned by group "sftp" which the user is a member of.
Obviously I'm doing something wrong here, so any tips on what I should try out to get closer to a solution are appreciated.
edit: It works fine if I change /usr/bin/rssh to /bin/bash, but the user can still browse the entire system which isn't ideal. Basically, I want the user to come straight into a directory, do whatever they want there as far as reading writing files, but be unable to go up in the file system, run other binary stuff and so on.
1. Create a New Group
Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
2. Create Users (or Modify Existing User)
Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.
The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
Verify that the user got created properly.
If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:
On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.
3. Setup sftp-server Subsystem in sshd_config
You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).
Modify the the /etc/ssh/sshd_config file and comment out the following line:
Next, add the following line to the /etc/ssh/sshd_config file
It should look like this:
4. Specify Chroot Directory for a Group
You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
In the above:
5. Create sftp Home Directory
Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).
Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.
So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.
So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.
6. Setup Appropriate Permission
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.
Set the owenership to the user, and group to the sftpusers group as shown below.
The permission will look like the following for the incoming directory.
The permission will look like the following for the /sftp/guestuser directory
7. Restart sshd and Test Chroot SFTP
Restart sshd:
Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.
When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.