How do I limit an sFTP user to one directory?
OpenSSH (4.8p1 for the GNU/Linux port) and up feature a configuration option:
ChrootDirectory. This has been made possible by a new SFTP subsystem statically linked to sshd.
This makes it easy to replace a basic FTP service without the hassle of configuring encryption and/or bothering with FTP passive and active modes when operating through a NAT router. This is also simpler than packages such as rssh or other patches because it does not require setting up and maintaining (i.e. security updates) a chroot environment.
To enable it, you obviously need the new version 4.8p1. I personaly use the cvs version and the debian/ directory of the sid package to build a well integrated Debian package 4.8p1~cvs-1.
You need to configure OpenSSH to use its internal SFTP subsystem.
Subsystem sftp internal-sftp
Then, I configured
chroot()ing in a match rule.
Match group sftponly ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
The directory in which to
chroot() must be owned by root. After the call to
sshd changes directory to the home directory relative to the new root directory. That is why I use
/ as home directory.
$ chown root.root /home/user $ usermod -d / user $ adduser user sftponly
This seems to work as expected:
$ sftp user@host Connecting to host... user@host's password: sftp> ls build cowbuildinall incoming johnbuilderclean sftp> pwd Remote working directory: / sftp> cd .. sftp> ls build cowbuildinall incoming johnbuilderclean
We inlined the original instructions from https://debian-administration.org/article/590/OpenSSH_SFTP_chroot_with_ChrootDirectory as at the time of writing that website no longer functions.