how to sshfs/sftp chroot

For several months I was wondering – how to organize for chroot sftp server. And for a long time I could not do it – had to bypass FTP-demons. In one of the latest releases openssh-server, this opportunity came, which I congratulate all the hosts (and just administrators). At the time, while Red Hat’ovtsy still suffer from jail – we go to configure built-in chroot ssh-demon.

To start to define what is needed for SFTP. Himself sftp is intended to replace the archaic scp – old means transferring files over ssh. The benefits are obvious – the files are transmitted over an encrypted tunnel from the network password can not be intercepted. But then emerge and cons – the increased load on the CPU (on both the server and client), slow file transfer rate compared to FTP. But as a whole – sshfs used for a long time and proved to be an excellent replacement for FTP-demons.

One of the advantages is also worth noting the simplicity of configuration – any user on the system, which can access the server for ssh, can already go on the sftp server. On the other hand it was also a minus – any user for sftp could download any files to which they have access. But now we will fix it.

If you have not installed sshd – put it:

aptitude install openssh-server

Current openssh in Debian 5 already supports all the necessary functionality to us.

By default, all users have a home directory / home / $ USER. But, unfortunately, openssh chroot () requires that the directory in which we will actually drive the users belonging to the user root. On the one hand, you can give the correct permissions on / home rue, and home directories give rights 770. On the other hand, if you are using sftp just for file sharing, you can transfer all user home directories by root, and in every home directory has to create a directory in which the user will have full access.

The second method allows you to ignore the errors in configuring the permissions of the directory, so use them.

Take, for example by inky. He has already been created in the system and you can go this member of ssh.

Create the directories:

mkdir -p / home / inky / data

And assigns the correct access rights:

chown -R root: root / home / inky && chmod -R 700 / home / inky && chown -R inky: inky / home / inky / data && chmod -R 770 / home / inky / data

Some will say that such rights are terrible and in any case can not be used, but in this case they provide the necessary degree of safety. Besides, we’re already checked.

If there is a need to run anything further from the user – you can change it’s home directory, such as / home / inky / data. You can do this in the file / etc / passwd

Now we proceed to the configuration of the sshd.

Open your favorite text editor and appends to the following:

Subsystem sftp / usr / lib / openssh / sftp-server
Match user inky
ChrootDirectory / home /% u
ForceCommand internal-sftp
AllowTcpForwarding no

If you had any other line Subsystem sftp – comment out of her.

Now, a little explanation:

Match user inky – the next option will be applied to the user inky

ChrootDirectory / home /% u – going on FTP user gets to the directory / home / inky. % U – inserts the user name in the directory. You can also use the% h – user’s home directory, and% g – the group name the user’s authorization.

ForceCommand internal-sftp – do not allow a user to log on to the server ssh. If you try to enter any character after authorization by ssh – server fails the user in the connection. However, all features will work correctly sftp.

AllowTcpForwarding no – do not allow the user to use the possibility of tunneling, Port Forwarding, and the like. Just now we have turned off the ability to use it «Instant socks proxy over SHH» – I will tell one of the following articles of what it is.

After that restart sshd:
/etc/init.d/sshd restart

Do not worry, sshd checks its configuration file for errors before you turn off.

Now check the work sftp. The easiest way – in the address bar Nautilus introduce something like this:

sftp: // user @ host: port

Nautilus will ask password, enter it and get into the directory specified in sshd.

From the command line, we can get on quite expected sftp server command:
sftp user @ host -p XX

Replace XX in the desired port number again fall to a server in the directory specified by us.

Also, to access the SFTP server, you can use FileZilla – its advantage is that we will be able to fill (and download) files to multiple streams, thereby increasing the speed (and load on the CPU).

sftp chroot rules can also be applied to certain groups of users, but I’ll explain in the next article, titled «sftp chroot vs. ispmanager »