OpenSSH 4.9+ includes a built-in chroot for sftp, but requires a few tweaks to the normal install.
You can create a rule to jail users and groups, it is very simple, if you want to create a rule based on group do the following.
- Override default subsystem “/usr/libexec/openssh/sftp-server” on /etc/ssh/sshd_config and create a group that will contain all sftp only users and add the user to this group.
- The commented line Match User can be used to rules based on single user.
# groupadd sftponly # gpasswd -a kdiegorsantos sftponly # cat <EOF> /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group sftponly # Match User kdiegorsantos
X11Forwarding no EOF
The chroot directory must be owned by root.
# chown root:root /home/kdiegorsantos # chmod 700 /home/kdiegorsantos
Change the user shell to prevent SSH login.
# usermod -s /bin/false kdiegorsantos
After change the SSH config file, make sure to reload the daemon to apply the rules.
# service sshd restart
Now only SFTP connections can be established by users on group sftponly.
[root@server002 ~]# ssh -l kdiegorsantos server001 kdiegorsantos@server001's password: This service allows sftp connections only. Connection to server001 closed. [root@server002 ~]#
If a user is able to write to the chroot directory then it is possible for them to escalate their privileges to root and escape the chroot. One way around this is to give the user two home directories – one “real” home they can write to, and one SFTP home that is locked down to keep sshd happy and your system secure. By using mount –bind you can make the real home directory appear as a subdirectory inside the SFTP home directory, allowing them full access to their real home directory.
# mkdir /home/chroot/kdiegorsantos # mount --bind /home/kdiegorsantos /home/chroot/kdiegorsantos # echo '/home/kdiegorsantos /home/chroot/kdiegorsantos none bind' >> /etc/fstab