Add the following to the end of the /etc/ssh/sshd_config file:
-
Subsystem sftp internal-sftp # This section must be placed at the very end of sshd_config Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
This means that all users in the ‘sftponly’ group will be chroot’d to their home directory, where they only will be able to run internal SFTP processes.
Now you can create the group sftponly by running the following command:
-
$ groupadd sftponly
From here on the example will be assume the user you want to apply this to is “steve” – you will need to change the commands accordingly.
Set a user’s group:
-
$ usermod -g sftponly steve
To deny SSH shell access, run the following command:
-
$ usermod -s /bin/false steve
And set the user’s home directory:
-
$ usermod -d /folder steve
Finally, you probably need to restart SSH
-
$ service ssh restart
The SSH part should now be in order, but you should make sure that file permissions also are correct. If the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and should have permissions along the lines of 755 or 750.
In other words, every folder leading up to and including the home folder must be owned by root, otherwise you will get the following error after logging in:
-
Write failed: Broken pipe Couldn't read packet: Connection reset by peer
Be First to Comment