[BlueOnyx:01140] How to chroot a user via sftp

"Ing. Ernesto Pérez Estévez" centos at nuestroserver.com
Tue Apr 28 14:09:50 -05 2009 

ok, I managed to chroot a site admin so he can only sftp to its site

first of all many thanks to this how to:
http://adamsworld.name/chrootjailv5.php
I used steps 7 and 8 of this howto in order to somehow allow chrooted 
sftp to my bluequartz.

My customer's site is located under site1 (/home/.sites/28/site1) and I 
managed to chroot the site admin (bgr) into this dir, here is the howto:

I downloaded and installed openssh-5.1 from david hrbac repos:

http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/

wget 
http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-5.1p1-3.el5.hrb.i386.rpm
wget 
http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-askpass-5.1p1-3.el5.hrb.i386.rpm
wget 
http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-clients-5.1p1-3.el5.hrb.i386.rpm
wget 
http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-server-5.1p1-3.el5.hrb.i386.rpm

rpm -Uvh openssh*
service sshd restart

After restarting nothing special should happen, just try to login as 
root and you will see it is perfectly possible.

These RPMs are well tested and I trust 100% on david's rpms, he is a 
frequent contributor to centos (take a look at the centos' lists).

Now, here comes the trick, edit:

vi /etc/ssh/sshd_config
and go to the latest page: comment out and add the following lines:
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

Then add at the very end the following:
Match Group site1
         ChrootDirectory /home/.sites/28/site1
         ForceCommand internal-sftp
         AllowTcpForwarding no

What Im saying here is: chroot all customers belonging to group: site1 
into /home/.sites/28/site1

Then
chmod 755 /home/.sites
chmod 755 /home/.sites/28
chmod 755 /home/.sites/28/site1
chown root.root /home/.sites/28/site1

this is because openssh refuses to chroot a site that are other or group 
writeable. And the chrooted dir must belong to root.root

Now:
service sshd restart

Then I:
sftp bgr at 1.2.3.4

and I was able to login via sftp and chrooted.

I also veriffied that I was able to login via ssh using root account 
(before leaving the current session).

it works.

best regards
epe

More information about the Blueonyx mailing list