This article describes how to setup a sftp only server chrooted. The sftp server is provided by openssh unfortunately (or thanksfully) it provides also a login capability. This article deals with:
- preventing user form logging in;
- jail the user into a private directory for better security.
First dot is provided by rssh and second one by chroot.
I suppose you already have a runnig sshd service up and running.
This file contains a sample jail directory.
Install rssh:
# urpmi rssh
Add /usr/bin/rssh at the end of /etc/shells. This will allow rssh to be used as a login shell. This piece of software will prevent user from gaining access to a real shell and restrict it to sftp.
First create a new user, let say ‘dummy’.
# adduser --shell /usr/bin/rssh dummy
Extract all files from jail to his home directory. You should remove the jail directory.
Content of /home/dummy should be:
bin/ dev/ etc/ home/dummy lib/ sbin/ usr/
Edit etc/passwd and etc/group and change user id and group id so that they match the newly created user.
Change owner of home/dummy to your user.
Whenever dummy will connect to your system he will be jailed to its hoem directory preventing him from accessing system files or other user’s one.
Configure rssh to only enable sftp and chroot for user dummy. Edit /etc/rssh.conf:
This file should contains the following:
allowsftp user=dummy:011:00010:/home/dummy # sftp with chroot
That’s it.
One Response to chrooted sftp only user for Mandriva 2009