set up Chroot Sftp on Red Hat Enterprise Linux 5

       How do I set up Chroot Sftp on Red Hat Enterprise Linux 5 ?

       How to setup sftp so that a specially-created ftp user can't get out of its home directory?

       How to setup sftp such that user can only access to his home directory and its subdirectories? It is called a "chroot-jail" in FTP terminology.

Environment

       Red Hat Enterprise Linux 5.4

       openssh-server-4.3p2-30.el5 or later

Resolution

Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5) which is shipped in Red Hat enterprise Linux 5.4. If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later.

Below is a sample chroot sftp configuration :

   1.  Create a specific chrooted directory.

mkdir /chroot/home

   2.  Mount it to /home as follows:

mount -o bind /home /chroot/home

   3.  Edit /etc/ssh/sshd_config as follows:

ChrootDirectory /chroot

Subsystem sftp internal-sftp

Please ensure the directories of ChrootDirectory, "/chroot" in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration.

4. Save & Exit

service sshd restart

Please refer to sshd_config man page for details on ChrootDirectory

Notes

In RHEL5, Once sftp configured to use chroot, it will not allow users to login via normal ssh including root. A workaround is to run multiple copies of ssh server ( listening on different port/address) , one with the default configuration and another instance for chrooted sftp  or use RHEL 6 which includes a newer version of openssh that allows chroot environment on a per-user/group basis.