Dec 10, 2010

Configure SFTP Server using chroot jail in Linux

Configure SFTP Server using chroot jail in Linux

Release:
RedHat Enterprise Linux
Openssh 5.6P1

Problem:
Configure the sftp-server on a per-user-basis (restrict users to their individual home directory) using chroot() jail in RedHat Enterprise Linux

Solution:

1)      Install the OpenSSH latest version that must support the chroot() function

2)      Configure Openssh to use its internal sftp subsystem by editing the sshd_config file

# vi /etc/ssh/sshd_config

Replace
Subsystem sftp /usr/local/libexec/sftp-server
by
Subsystem sftp internal-sftp

3)      Now configure the chroot() by using match rule, add the below entries in the end of the sshd_config file

# vi /etc/ssh/sshd_config

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Note: Here %u represents username, that means all the users in the sftponly group home directories are chrooted. Also chroot directory must be owned by root.

4)      Add one new group named as sftponly

# groupadd sftponly

5)      Create a new user to use retricted sftp. First create a user's home directory after that add the user

# mkdir /home/test
# useradd -g sftponly test
# usermod -d / test

Note: In here, create a home directory as a root user, while adding the user one warning comes like this, "useradd: warning: the home directory already exists"

6)      Now test the configuration from client side

[root@server Desktop]# sftp test@192.168.1.7
Connecting to 192.168.1.7...
test@192.168.1.7's password:
sftp> ls
IN
sftp> cd IN
sftp> ls
sftp> mput 1.png
Uploading 1.png to /IN/1.png
1.png 100% 90KB 90.4KB/s 00:00
sftp> ls
1.png
sftp> bye

7)      Test the SFTP-Server function from the windows client use the “WinSCP” or “Filezilla  

3 comments:

Anonymous said...

Hi,
ssh jail works fine, but how do we get a "jail restricted user" to change password.

siddhesh said...

Thanks Mugu for the help the steps are perfect , and works fine except the chroot /sftp/%u , the %u doesnot work for me , can u help me .
Thanks
Siddhesh

Mugu said...

Siddhesh, to enable sftp with chroot you need open ssh version 4.8p1 or newer.