How do I set up Chroot Sftp on Red Hat Enterprise Linux 5 ?
How to setup sftp so that a specially-created ftp user can't get out of its home directory?
How to setup sftp such that user can only access to his home directory and its subdirectories? It is called a "chroot-jail" in FTP terminology.
Environment
Red Hat Enterprise Linux 5.4
openssh-server-4.3p2-30.el5 or later
Resolution
Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5) which is shipped in Red Hat enterprise Linux 5.4. If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later.
Below is a sample chroot sftp configuration :
1. Create a specific chrooted directory.
mkdir /chroot/home
2. Mount it to /home as follows:
mount -o bind /home /chroot/home
3. Edit /etc/ssh/sshd_config as follows:
ChrootDirectory /chroot
Subsystem sftp internal-sftp
Please ensure the directories of ChrootDirectory, "/chroot" in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration.
4. Save & Exit
service sshd restart
Please refer to sshd_config man page for details on ChrootDirectory
Notes
In RHEL5, Once sftp configured to use chroot, it will not allow users to login via normal ssh including root. A workaround is to run multiple copies of ssh server ( listening on different port/address) , one with the default configuration and another instance for chrooted sftp or use RHEL 6 which includes a newer version of openssh that allows chroot environment on a per-user/group basis.
Wow, this article is good, a friend recently asked me about this, I will refer her to your post. chroot linux
ReplyDelete