Chroot SFTP users

OpenSSH supports jailing SFTP users to a directory (using chroot) just by changing its configuration file:

Basically you add the users you want to jail to a linux user group (sftp) and add the following lines to /etc/ssh/sshd_config:

### Comment out the following line:
#Subsystem sftp /usr/lib/openssh/sftp-server
### and replace with:
Subsystem sftp internal-sftp

### And add this "Match" rule to chroot users in the sftp group:
Match group sftp
    X11Forwarding no
    ChrootDirectory %h
    AllowTcpForwarding no
    ForceCommand internal-sftp

Just to be complete, here are the lines to add a new user and add it to the group and set up the permissions for chroot:

NEWUSERNAME="sftpuser"
addgroup sftp
adduser $NEWUSERNAME
# fix ownership:
chown root:$NEWUSERNAME /home/$NEWUSERNAME
chmod 750 /home/$NEWUSERNAME
# create a writable folder
mkdir /home/$NEWUSERNAME/files
chown $NEWUSERNAME: /home/$NEWUSERNAME/files
# add the user to the group sftp:
adduser $NEWUSERNAME sftp

The reason why you need to set the permissions that way is that if you don't, the chroot will fail. The message for the sftp/ssh user after trying to connect is:

Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

And in the /var/log/auth.log you find an entry like this:

May 20 11:43:59 lion sshd[15393]: pam_unix(sshd:session): session opened for user sftpuser by (uid=0)
May 20 11:43:59 lion sshd[15395]: fatal: bad ownership or modes for chroot directory "/home/sftpuser"
May 20 11:43:59 lion sshd[15393]: pam_unix(sshd:session): session closed for user sftpuser

The reason for this behaviour is that a chroot needs some requirements:

  • root must be the owner of the new user's home directory
  • The group and the others must not have write permissions
  • You can't chroot into a file ^^

Disabling SSH access for those users

This is not needed if you set the setting ForceCommand internal-sftp. But if you are paranoid, you can also disable real shell access for the user by setting the terminal to /bin/false:

usermod -s /bin/false $NEWUSERNAME

Adding basic SSH access again

Remove ForceCommand internal-sftp in the sshd_config to allow other than sftp commands.

To be able to user a shell, it must be available from the inside of the chroot directory. In addition you need to bind some device files in /dev. This is well explained in the section Shell-User on http://openbsd.maroufi.net/sshchroot.shtml (German).

Resources

Comments