Monday, August 22, 2011

set up Chroot Sftp on Red Hat Enterprise Linux 5

*       How do I set up Chroot Sftp on Red Hat Enterprise Linux 5 ?
*       How to setup sftp so that a specially-created ftp user can't get out of its home directory?
*       How to setup sftp such that user can only access to his home directory and its subdirectories? It is called a "chroot-jail" in FTP terminology.

Environment

*       Red Hat Enterprise Linux 5.4
*       openssh-server-4.3p2-30.el5 or later

Resolution

Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5) which is shipped in Red Hat enterprise Linux 5.4. If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later.

Below is a sample chroot sftp configuration :

   1.  Create a specific chrooted directory.
mkdir /chroot/home

   2.  Mount it to /home as follows:
mount -o bind /home /chroot/home

   3.  Edit /etc/ssh/sshd_config as follows:
ChrootDirectory /chroot
Subsystem sftp internal-sftp

Please ensure the directories of ChrootDirectory, "/chroot" in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration.

4. Save & Exit
service sshd restart

Please refer to sshd_config man page for details on ChrootDirectory

Notes

In RHEL5, Once sftp configured to use chroot, it will not allow users to login via normal ssh including root. A workaround is to run multiple copies of ssh server ( listening on different port/address) , one with the default configuration and another instance for chrooted sftp  or use RHEL 6 which includes a newer version of openssh that allows chroot environment on a per-user/group basis.

1 comment:

  1. Wow, this article is good, a friend recently asked me about this, I will refer her to your post. chroot linux

    ReplyDelete