Here is howto make sftp shares with chroot.
# we use openssh internal sftp # because /usr/lib/openssh/sftp-server won't be available in chroot Subsystem sftp internal-sftp Match group sftp ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
UPDATE 17/06/2010: Beware with the syntax! Comments must start at the line beginning, and no spaces at the end of the
ForceCommand internal-sftp line.
Now just create users belonging to sftp group, and that’s it.
Test it with:
Problem: we cannot use the rsync command to send files, because rsync is not available in the chroot.
First, we allow other commands, commenting the line:
Then, we build the following tree in the chroot directory:
bin/ bin/bash bin/rsync lib/ lib/libncurses.so.5 lib/ld-linux.so.2 lib/libacl.so.1 lib/libpopt.so.0 lib/libattr.so.1 lib/i686 lib/i686/cmov lib/i686/cmov/libdl.so.2 lib/i686/cmov/libc.so.6
We must put both
rsync commands, and all their librairies (you can display them with the
Note: the user must have
/bin/bash as default shell.
Note2: the chroot dir must belong to root, even if it’s the user’s folder. To allow the user to write in it, you have to create a subfolder with appropriate permissions. According to OpenSSH programers, it’s a big constraint, but very important for a chroot’s security.