chroot'ing sftp and scp users

[berky]

Ok, so here's the situation. Let's assume that I have a file server that will be host to 500+ users (enough that I don't want thousands of duplicate files). What I want to do, however, is chroot each user to their home directory so that if they are using sftp and try to cd / or whatever, they won't go anywhere but their home (or if they scp a file to / or whatever, it will stay in their home dir). I've read some things about rssh and it seems like the solution I want (I dont' want users to be able to ssh to the server), but from what I've read, it seems like you have to copy like 10 or so files and all kinds of directory structures to *each* user's home directory. I know this could be scripted fairly easily or put into the skel, but I don't even want them to see that directory structure or any of the files that would be copied into their dirs.

thanks.

 

[requiemnoise]

read this article.
http://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html

it is easier to set up ftp over ssl. since most ftp servers support jailing.

 

[eeyrjmr]

http://www.howtoforge.com/chrooted_ssh_howto_debian

 

[berky]

thanks for the responses. after a lot more searching, i found what I'm looking for, but I'm having some trouble that I can figure out. (this was apparently only added into openssl in 2008 sometime from what i can tell)

What I did:

modified /etc/ssh/sshd_config

# override default of no subsystems
#Subsystem	sftp	/usr/libexec/openssh/sftp-server
Subsystem	sftp	internal-sftp

# Example of overriding settings on a per-user basis
Match group untrust
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp
	ChrootDirectory /home/%u

then I create a user called untrust1 as the following (the skel is just blank so i dont' get the .bash* files):

groupadd untrust

useradd -k /etc/skel_sshuser/ -d /home/untrust1 -G untrust -m -s /usr/bin/rssh untrust1

# apparently using the ChrootDirectory setting in the sshd_config file requires the dir to be owned by root
chown root:untrust1 /home/untrust1
chmod 750 /home/untrust1


ok, so this works perfect for what I want EXCEPT, the user cannot write to the directory, which is what I need. If i simply set the permissions on the home dir to 760 or 770, I get the following error:

$ sftp untrust1@<server>
Connecting to <server>...
untrust1@<server>'s password: 
Read from remote host <server>: Connection reset by peer
Couldn't read packet: Connection reset by peer

Any ideas why this happens when changing the permissions?

 

[Durafein]

ChrootDirectory
Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group.

So you need to set the permissions to 750 and create a directory inside the chroot with the correct permissions to allow people to upload files.