I've got a CentOs release 6.4 with Digital Ocean and would like to successfully create SFTP users and jail them to the user's own chroot home directory but I fear I'm making a mess of this.
I've tried a lot of things, far too many to list here really as most is probably incorrect or won't make much sense but what I feel should be the correct process and what I have tried is:-
Create a group for sftp:-
groupadd sftp
Create a user and set their home directory:-
useradd -d /var/www/vhosts/domain.com dummyuser
Set a password for the user:-
passwd dummyuser
Change the user's group to 'sftp':-
usermod -g sftp dummyuser
Set the user's shell to /bin/false:-
usermod -s /bin/false dummyuser
Edit Subsystem in sshd_config (/etc/ssh/):-
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Add the following to the bottom of the sshd_config file:-
Match group sftp
X11Forwarding no
ChrootDirectory %h
AllowTcpForwarding no
ForceCommand internal-sftp
I make sure all the following directories are root:root:-
/var
/var/www
/var/www/vhosts
/var/www/vhosts/domain.com
If I then try to log in to the server via SFTP with the user dummyuser (in WinSCP), I get the following:-
Authentication log (see session log for details):
Using username "dummyuser".
Authentication failed.
All I want to achieve is jailing a user to their home directory. I've also got vsftpd set up and configured. Users could log in fine but would have access to the entire server - I just haven't managed to get jailing to work at all.
Edit
Forgot to mention, I then restarted sshd also:-
service sshd restart
When the error is produced in WinSCP, their help page on this is here.
Log Results
/var/log/secure
I replaced the actual server name with server_name.
Apr 28 14:20:56 server_name sshd[9944]: Accepted password for dummyuser from 80.194.255.4 port 44402 ssh2
Apr 28 14:20:56 server_name sshd[9944]: pam_unix(sshd:session): session opened for user dummyuser by (uid=0)
Apr 28 14:20:56 server_name sshd[9946]: fatal: bad ownership or modes for chroot directory component "/var/www/vhosts/"
Apr 28 14:20:56 server_name sshd[9944]: pam_unix(sshd:session): session closed for user dummyuser
It's a common pitfall:
All folders up to the chroot home must be owned and only writable by
rootuser.The folders cannot be group writable - even if the group is
root.I found and successfully configured sftp on CentOS 6.5: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
Edit sshd config:
vim /etc/ssh/sshd_config
Exit and save.
Then:
For a new user named "testuser" (member of the sftp-only group with GID 500):
(i use empty /etc/skel2 so no .bashrc etc is copied by default by CentOS)
So in this example, i made it to give secure access to external consulting firms that manage websites. You could after creating all this do:
One could fine tune all this as needed.
Hope this helped!
Guy Boisvert IngTegration inc. http://www.ingtegration.com