Setting up a jailed chrooted SFTP   

 

Here is a brief how to on setting up a jailed chrooted SFTP for your users, while maintaining wide open SFTP and shell access for yourself and root.

I’m assuming you have been following the guide at Woodel.com it’s not required, but will make this a little easier to follow.

 

*Special thanks to Webmin.com and Minstrel.org.uk where I got most of this info

 

 

Edit the file /etc/ssh/sshd_config

 

Find the line that says "X11Forwarding yes", #comment it out, and replace it with

 

X11Forwarding no

 

You should see something like this...

 

#X11Forwarding yes

X11Forwarding no

 

Find the line that starts with “Subsystem”, #comment it out, and replace it with

 

Subsystem sftp internal-sftp

 

You should see something like this...

 

#Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem sftp internal-sftp

 

Find the line that says "AllowUsers" #comment it out, and replace it with

 

AllowGroups root you mysftpusers

 

You should see something like this...

 

#AllowUsers root

AllowGroups root you mysftpusers

 

Replacing "you" with whatever name you used during your operating system install.

 

Under the line that says "UsePAM yes", add

 

PermitTunnel no

 

You should see something like this...

 

UsePAM yes

PermitTunnel no

 

Navigate to the very bottom of the file, and add these lines

Again these lines  MUST  appear at the “end” or “bottom”  of your sshd_config

 

Match Group mysftpusers

AllowTCPForwarding no

ChrootDirectory %h

ForceCommand internal-sftp

 

Save the file, you are done editing /etc/ssh/sshd_config

 

 

Create a new group, without a password, named, mysftpusers

 

If your using Webmin, that would look something like this.

 

Users and Groups

 

 

 

Add desired jailed users to the group “mysftpusers”

 

 

Add Users

 

 

Change their shell to /bin/false (this will stop them from being able to login locally)

 

If your using Webmin, that would look something like this.

 

/bin/false

 

 

Repeat that step for every user you want to have jailed chrooted SFTP for.

 

Next change the owner of everyone’s home directory you want jailed to  user “root” group “root” with 755 permissions, not allowing anyone else write permissions.

If you have been following the guide at woodel.com this part might already be done.

 

If your using Webmin, that would look something like this.

 

755 Permissions

 

Then make them each a new folder, one folder deeper in their home directory, named    save_here

 

Then make them the owner of that “save_here” folder with 700 permissions.

 

“/home/roommate1/save_here” and deeper is where roommate1 saves files from now on.

 

If your using Webmin, that would look something like this.

 

700 Permissions

 

Again “/home” and “/home/rommate1” and “/home/all-other-desired-jailed-users” are owned by user root, group root, with 755 permissions and not writable by anyone but root. And each users “save_here” folder is 700 permissions with that user as its owner.

 

Reboot the server, and launch  FileZilla  from your windows computer

 

The host will be

sftp://192.168.2.111 (or whatever your servers IP address is)

 

and the port is 22

 

SFTP FileZilla

 

When someone belonging to the mysftpusers group logs in, they won’t be able to change directory outside of their home, and can only write to the “save_here”  folder, and deeper.

 

Users not in the mysftpusers group will have normal non jailed SFTP and remote SSH access, this can be very useful for root and yourself, so you can still browse the entire system, and still access the remote shell.

 

 

This is known as a chrooted jail, and is a very secure approach. That’s it, you’re done with the setup, enjoy!   The next step is optional.

 

 

Optional:

 

If you don’t already have a group for you (yourself) you should probably make one, so that both you and root can have unjailed access, with the assumption that you’re the admin of the box, and are trying to not use the root account. In this example I will use username “you” group “you” This is an unjailed user,  granted access because he is part of the “you” group AND ALSO not part of the “mysftpusers” group

 

 

Here is where you gave the “you” group access, in case you need to tweak it.

 

#AllowUsers root

AllowGroups root you mysftpusers

 

Here is where he is not jailed because he doesn’t match this group “mysftpuser”

 

Match Group mysftpusers

AllowTCPForwarding no

ChrootDirectory %h

ForceCommand internal-sftp

 

 

That’s it, you do not need to tweak the file permissions for this one unjailed user.

 

<<< Return to Woodel.com