Set up of sftp-only access to a server for a subset of users on a Scientific Linux 6 install with SELinux enforcing:
Create sftponly group and added users with sftp-server as their shell:
addgroup sftponly
useradd -d /home/$USERNAME -s /usr/lib/sftp-server -M -N -g sftponly $USERNAME
mkdir -p /home/$USERNAME/uploads /home/$USERNAME/.ssh
chown $USERNAME:sftponly /home/$USERNAME/uploads /home/$USERNAME/.ssh
chown root /home/$USERNAME
chmod 755 /home/$USERNAME
chmod 700 /home/$USERNAME/.ssh
passwd $USERNAME
echo '/usr/lib/sftp-server' >> /etc/shells
They will chroot into their home directory, so this needs to be owned by root and not writable by any other user, including $USERNAME. As the user won’t have write access to their own home directory, you need to manually create a .ssh directory for them and a subdirectory to which they do have write access, for their files.
Changed /etc/ssh/sshd_config to chroot to the home directory of sftp-only users
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Make sure selinux allows write access to chroot’ed home directories:
setsebool -P ssh_chroot_rw_homedirs on
I also needed to do a restorecon on the home directory to get selinux to allow sftp users to write to their uploads directory:
restorecon -R /home/$USERNAME
Seems to be working okay now.
Pingback: CentOS 6.3 sftp chroot jail - Page 2
Thanks!!
Hello, this helped me but:
when adding my user I had to specify the shell as /usr/libexec/openssh/sftp-server
and the addition of that shell (in your doc /usr/lib/sftp-server) to /etc/shells didn’t appear to mean anything.
use sbin/nologin for shell instead of /usr/libexec/openssh/sftp-server
Yes. The fact that its chroot users are privileged only to put/get files or create folder on their directory and not wonder around to execute shell commands.
You also need to type this if you don’t want to completely disable SELinux:
# setsebool -P ssh_chroot_full_access on
Hi,
I have tryed your guide but the result after this implementation is that I haven’t permission to write in my folder. You have any suggestion ?
thank you so much!
oh my heavens! Yes… this is the solution. I’ve been scratching my head about why an SFTP cannot write to their CHROOT home directory for days!