Today I have got a requirement to setup a sftp user and restricting its access to a specific directory. My current running OS version Oracle Linux 5.11 which has latest openssh version openssh-4.3p2-82.el5. Now, initial plan to setup chroot to home directory using the below configuration which is quit straightforward.
1. Create a group called sftponly
#groupadd sftponly
2. Update /etc/ssh/sshd_config file with the below entries
AllowGroups root sftponly
Match Group sftponly
ChrootDirectory /home/newuser
ForceCommand internal-sftp
AllowTcpForwarding no
While restarting sshd,
Starting sshd: /etc/ssh/sshd_config: line 123: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options [FAILED]
After googling for a while found that this feature is supported only with openssh 5 or above so not possible in my case
For an immediate workaround, I have decided to go for vsftp with chroot option. Here is what i have followed to set it up.
1. Install package vsftpd (#yum install vsftp*)
2. Change anonymous_enable=NO
3. Add the below line
chroot_local_user=YES
4. Add a user as below and set shell to /bin/false to restrict user not to login via shell
testuser:x:54332:54335::/home/testuser:/bin/false
NOTE: Ensure /bin/false is listed in the /etc/shells file
1. Create a group called sftponly
#groupadd sftponly
2. Update /etc/ssh/sshd_config file with the below entries
AllowGroups root sftponly
Match Group sftponly
ChrootDirectory /home/newuser
ForceCommand internal-sftp
AllowTcpForwarding no
While restarting sshd,
Starting sshd: /etc/ssh/sshd_config: line 123: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options [FAILED]
After googling for a while found that this feature is supported only with openssh 5 or above so not possible in my case
For an immediate workaround, I have decided to go for vsftp with chroot option. Here is what i have followed to set it up.
1. Install package vsftpd (#yum install vsftp*)
2. Change anonymous_enable=NO
3. Add the below line
chroot_local_user=YES
4. Add a user as below and set shell to /bin/false to restrict user not to login via shell
testuser:x:54332:54335::/home/testuser:/bin/false
NOTE: Ensure /bin/false is listed in the /etc/shells file