Editing Sftp chroot configuration

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[OpenSSH 4.9]]+ (2008) includes a built-in chroot for SFTP.
+
* Read https://askubuntu.com/a/206376
  
 +
/etc/ssh/[[sshd_config]]
  
== Configuration ==
 
* Read ask Ubuntu, How can I chroot sftp-only SSH users into their homes? https://askubuntu.com/a/206376
 
  
 +
1) First step
  
 
 
=== 1) Modify <code>[[Subsystem]]</code> to <code>[[internal-sftp]]</code> ===
 
 
Modify <code>/etc/ssh/[[sshd_config]]</code> file
 
 
  #Subsystem sftp /usr/lib/openssh/sftp-server
 
  #Subsystem sftp /usr/lib/openssh/sftp-server
  Subsystem sftp [[internal-sftp]]
+
  Subsystem sftp internal-sftp
  
  
=== 2) Create a user section at the end of the file (ssh can die respawning if placed after Subsystem line) ===
+
2) Second step
 +
and create a user section at the end of the file (ssh can die respawning if placed after Subsystem line):
  
 
  [[Match]] User john
 
  [[Match]] User john
 
     [[ChrootDirectory]] [[%h]]
 
     [[ChrootDirectory]] [[%h]]
     ForceCommand [[internal-sftp]]
+
     ForceCommand internal-sftp
     [[AllowTCPForwarding]] no
+
     AllowTCPForwarding no
 
     X11Forwarding no
 
     X11Forwarding no
  
Line 26: Line 22:
 
* %u (User)
 
* %u (User)
 
* %h (home directory)
 
* %h (home directory)
 
 
Multiple users:
 
  [[Match]] User USER1,USER2
 
 
  
  
Line 40: Line 31:
 
     X11Forwarding no
 
     X11Forwarding no
  
=== 3) Review privileges from <code>[[ChrootDirectory]]</code>  directory ===
+
3) Review privileges from <code>[[ChrootDirectory]]</code>  directory
  
=== 4) [[Create a new user account]] ===
 
[[useradd --create-home]] USERNAME
 
[[su]] - USERNAME
 
[[mkdir -p]] ~/[[.ssh]]
 
[[chmod]] og-rxw [[~]]/.ssh
 
[[touch]] ~/.ssh/[[authorized_keys]] && [[chmod]] og-rw ~/.ssh/authorized_keys
 
[[passwd]] USERNAME
 
  
[[mkdir -p]] /path/to/directory/upload
 
chmod 777 /path/to/directory/upload
 
  
Add user on [[Match]] section on [[/etc/ssh/sshd_config]] file
+
== Logs ==
  
[[sshd -t]]
 
[[systemctl restart sshd]] && [[systemctl status sshd]]
 
 
== Logs ==
 
 
[[scp]] error
 
[[scp]] error
 
   protocol error: mtime.sec not present
 
   protocol error: mtime.sec not present
Line 65: Line 43:
 
  'Match LocalPort' in configuration but 'lport' not in connection test specification.
 
  'Match LocalPort' in configuration but 'lport' not in connection test specification.
  
See also: <code>[[LogLevel]]</code>
 
  
== Related terms ==
 
* <code>[[useradd]] -m USERNAME</code>
 
* https://wiki.archlinux.org/index.php/SFTP_chroot
 
  
 
== See also ==
 
== See also ==

Please note that all contributions to wikieduonline may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see Wikieduonline:Copyrights for details). Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)

Templates used on this page:

Advertising: