Difference between revisions of "Sftp chroot configuration"
Jump to navigation
Jump to search
1) Modify
3) Review privileges from
Tags: Mobile web edit, Mobile edit |
|||
| (26 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[OpenSSH 4.9]]+ (2008) includes a built-in chroot for SFTP. | ||
| + | |||
== Configuration == | == Configuration == | ||
| − | * Read https://askubuntu.com/a/206376 | + | * Read ask Ubuntu, How can I chroot sftp-only SSH users into their homes? https://askubuntu.com/a/206376 |
| − | |||
| − | |||
| + | === 1) Modify <code>[[Subsystem]]</code> to <code>[[internal-sftp]]</code> === | ||
| + | |||
| + | Modify <code>/etc/ssh/[[sshd_config]]</code> file | ||
#Subsystem sftp /usr/lib/openssh/sftp-server | #Subsystem sftp /usr/lib/openssh/sftp-server | ||
Subsystem sftp [[internal-sftp]] | Subsystem sftp [[internal-sftp]] | ||
| − | 2) | + | === 2) Create a user section at the end of the file (ssh can die respawning if placed after Subsystem line) === |
| − | |||
[[Match]] User john | [[Match]] User john | ||
[[ChrootDirectory]] [[%h]] | [[ChrootDirectory]] [[%h]] | ||
ForceCommand [[internal-sftp]] | ForceCommand [[internal-sftp]] | ||
| − | AllowTCPForwarding no | + | [[AllowTCPForwarding]] no |
X11Forwarding no | X11Forwarding no | ||
| Line 38: | Line 40: | ||
X11Forwarding no | X11Forwarding no | ||
| − | 3) Review privileges from <code>[[ChrootDirectory]]</code> directory | + | === 3) Review privileges from <code>[[ChrootDirectory]]</code> directory === |
| − | == | + | === 4) [[Create a new user account]] === |
[[useradd --create-home]] USERNAME | [[useradd --create-home]] USERNAME | ||
| − | [[mkdir -p]] | + | [[su]] - USERNAME |
| − | [[ | + | [[mkdir -p]] ~/[[.ssh]] |
| − | + | [[chmod]] og-rxw [[~]]/.ssh | |
| − | [[touch]] ~/.ssh/authorized_keys && chmod og- | + | [[touch]] ~/.ssh/[[authorized_keys]] && [[chmod]] og-rw ~/.ssh/authorized_keys |
| + | [[passwd]] USERNAME | ||
[[mkdir -p]] /path/to/directory/upload | [[mkdir -p]] /path/to/directory/upload | ||
chmod 777 /path/to/directory/upload | chmod 777 /path/to/directory/upload | ||
| − | Add user on [[Match]] section on [[sshd_config]] file | + | Add user on [[Match]] section on [[/etc/ssh/sshd_config]] file |
[[sshd -t]] | [[sshd -t]] | ||
| − | [[systemctl restart]] sshd | + | [[systemctl restart sshd]] && [[systemctl status sshd]] |
== Logs == | == Logs == | ||
| Line 62: | Line 65: | ||
'Match LocalPort' in configuration but 'lport' not in connection test specification. | 'Match LocalPort' in configuration but 'lport' not in connection test specification. | ||
| + | See also: <code>[[LogLevel]]</code> | ||
| − | == Related | + | == Related terms == |
* <code>[[useradd]] -m USERNAME</code> | * <code>[[useradd]] -m USERNAME</code> | ||
| + | * https://wiki.archlinux.org/index.php/SFTP_chroot | ||
== See also == | == See also == | ||
Latest revision as of 04:41, 27 August 2021
OpenSSH 4.9+ (2008) includes a built-in chroot for SFTP.
Contents
Configuration[edit]
- Read ask Ubuntu, How can I chroot sftp-only SSH users into their homes? https://askubuntu.com/a/206376
1) Modify Subsystem to internal-sftp[edit]
Modify /etc/ssh/sshd_config file
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
2) Create a user section at the end of the file (ssh can die respawning if placed after Subsystem line)[edit]
Match User john ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
Others:
- %u (User)
- %h (home directory)
Multiple users:
Match User USER1,USER2
With double Match rule
Match User john LocalPort 2222 ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
3) Review privileges from ChrootDirectory directory[edit]
4) Create a new user account[edit]
useradd --create-home USERNAME su - USERNAME mkdir -p ~/.ssh chmod og-rxw ~/.ssh touch ~/.ssh/authorized_keys && chmod og-rw ~/.ssh/authorized_keys passwd USERNAME
mkdir -p /path/to/directory/upload chmod 777 /path/to/directory/upload
Add user on Match section on /etc/ssh/sshd_config file
sshd -t systemctl restart sshd && systemctl status sshd
Logs[edit]
scp error
protocol error: mtime.sec not present
'Match LocalPort' in configuration but 'lport' not in connection test specification.
See also: LogLevel
Related terms[edit]
See also[edit]
Advertising:
