Debian (lenny) SFTP Jailing
- First add a new sftp users group, I’ve named mine ‘sftponly’.
groupadd sftponly
Open /etc/ssh/sshd_config for editing. The line you will be looking for as it appears in lenny will be :
Subsystem sftp /usr/lib/openssh/sftp-server
Change this to
Subsystem sftp internal-sftp
At the bottom of the file, you’ll need this acl
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no‘Match Group’s are terminated either by a new Match Group directive, or simply the end of file, so save and restart sshd.
/etc/init.d/sshd restart
- Make sure you can still login normally through another console
- Now adduser, assign them to the new group and strip their shell. Mine will be called feyfey
adduser feyfey usermod -g sftponly feyfey usermod -s /bin/false feyfey
- Next, set the user home directory ownership to root.root, and only user writable, then jump into the users directory and create a ‘public’ directory the sftp only user can write to.
chown root.root /home/feyfey chmod 775 /home/feyfey cd /home/feyfey mkdir public; chown feyfey.sftpuser public
If there are any errors during your permissions testing thereafter, check /var/log/auth.log.
and you’re done 
| Print article | This entry was posted by admin on September 6, 2009 at 00:38, and is filed under Sysadmin. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 9 months ago
Isn’t that:
/etc/init.d/sshd restart
not
/etc/ini.d/sshd restart
about 9 months ago
thanks Dave, glad someone pays attention to detail :p