Here is howto make sftp shares with chroot.
In /etc/ssh/sshd_config:
# we use openssh internal sftp
# because /usr/lib/openssh/sftp-server won't be available in chroot
Subsystem sftp internal-sftp
Match group sftp
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
UPDATE 17/06/2010: Beware with the syntax! Comments must start at the line beginning, and no spaces at the end of the ForceCommand internal-sftp line.
Now just create users belonging to sftp group, and that’s it.
Test it with:
sftp user@myserver.com
Problem: we cannot use the rsync command to send files, because rsync is not available in the chroot.
First, we allow other commands, commenting the line:
#ForceCommand internal-sftp
Then, we build the following tree in the chroot directory:
bin/ bin/bash bin/rsync lib/ lib/libncurses.so.5 lib/ld-linux.so.2 lib/libacl.so.1 lib/libpopt.so.0 lib/libattr.so.1 lib/i686 lib/i686/cmov lib/i686/cmov/libdl.so.2 lib/i686/cmov/libc.so.6
We must put both bash and rsync commands, and all their librairies (you can display them with the ldd command).
Note: the user must have /bin/bash as default shell.
Note2: the chroot dir must belong to root, even if it’s the user’s folder. To allow the user to write in it, you have to create a subfolder with appropriate permissions. According to OpenSSH programers, it’s a big constraint, but very important for a chroot’s security.
References :