Create a chroot jail
This article describes how to configure a chroot jail by using both Debian® and RPM Package Manager (RPM)-based distributions.
These instructions create the chroot jail by using the following example group and user names:
-
Group: sftponly
-
User: ftpuploader
Create a group for jailed users
Use the following instructions to create a group for jailed users:
-
Create the jailed group by using the following command:
groupadd sftponly
Note: This group is used to restrict or jail users to their home directory.
-
Open /etc/ssh/sshd_config in a text editor and edit the file by using the following steps:
-
Comment out the following line by placing a number sign (
#
) before the line:Before:
Subsystem sftp /usr/libexec/openssh/sftp-server
After:
#Subsystem sftp /usr/libexec/openssh/sftp-server
-
Add the following lines to the end of the configuration file:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp`
-
-
Verify that the syntax is correct in the new configuration and reload sshd by using the following commands:
sshd –t
service sshd reload
Create a Secure File Transfer Protocol user
Use the following steps to create a Secure File Transfer Protocol (SFTP) user:
-
Create a home directory for the SFTP user by using the following command:
mkdir -p /home/chroot/ftpuploader/public
-
Create a new user with a home directory that has no shell access, and add it to the group sftponly by using the following command:
useradd -d /home/chroot/ftpuploader -s /sbin/nologin -G sftponly ftpuploader
-
If you already have an SFTP user created, then you need to set the user's shell access to /sbin/nologin and add them to group sftponly by using the following command:
usermod -s /sbin/nologin -G sftponly ftpuploader
-
Now, set a new password for the SFTP user by using the following command:
Passwd ftpuploader
-
Change permissions and ownership of the home directory using RPM and Debian-based distributions as shown in the following code:
chown root:root /home/chroot/ftpuploader/
chown ftpuploader:sftponly /home/chroot/ftpuploader/public
chmod 711 /home/chroot/
chmod 755 /home/chroot/ftpuploader/
chmod 755 /home/chroot/ftpuploader/public
Note: In the preceeding commands, the group is sftponly if the user is going to be part of the sftponly group.
Updated about 1 year ago