Create a chroot jail
This article describes how to configure a chroot jail by using both Debian® and RPM Package Manager (RPM)-based distributions.
These instructions create the chroot jail by using the following example group and user names:
Create a group for jailed users
Use the following instructions to create a group for jailed users:
Create the jailed group by using the following command:
Note: This group is used to restrict or jail users to their home directory.
Open /etc/ssh/sshd_config in a text editor and edit the file by using the following steps:
Comment out the following line by placing a number sign (
#) before the line:
Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp /usr/libexec/openssh/sftp-server
Add the following lines to the end of the configuration file:
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory %h X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp`
Verify that the syntax is correct in the new configuration and reload sshd by using the following commands:
sshd –t service sshd reload
Create a Secure File Transfer Protocol user
Use the following steps to create a Secure File Transfer Protocol (SFTP) user:
Create a home directory for the SFTP user by using the following command:
mkdir -p /home/chroot/ftpuploader/public
Create a new user with a home directory that has no shell access, and add it to the group sftponly by using the following command:
useradd -d /home/chroot/ftpuploader -s /sbin/nologin -G sftponly ftpuploader
If you already have an SFTP user created, then you need to set the user’s shell access to /sbin/nologin and add them to group sftponly by using the following command:
usermod -s /sbin/nologin -G sftponly ftpuploader
Now, set a new password for the SFTP user by using the following command:
Change permissions and ownership of the home directory using RPM and Debian-based distributions as shown in the following code:
chown root:root /home/chroot/ftpuploader/ chown ftpuploader:sftponly /home/chroot/ftpuploader/public chmod 711 /home/chroot/ chmod 755 /home/chroot/ftpuploader/ chmod 755 /home/chroot/ftpuploader/public
Note: In the preceeding commands, the group is sftponly if the user is going to be part of the sftponly group.
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License