Chrooted SFTP

OpenSSH allows SSH/SFTP users to connect to the whole system by default. In many cases this is not the expected behavior: users should be relegated to the home their own home directory only. Sometimes this is called “Chrooted SFTP”.

As we discussed before, SFTP users can see the whole system by default:

# sftp andrea@localhost
Connecting to localhost...
andrea@localhost's password:
sftp> pwd
Remote working directory: /home/andrea

Users can be confined changing the SFTP back-end:

# /etc/ssh/sshd_config
[...]
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
[...]

Users part of the webmaster group should only access to the webserver directory; other users should be restricted to their own home directory:

# /etc/ssh/sshd_config
[...]
Match User webmaster
 ChrootDirectory /var/www/html
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp
Match Group users
 ChrootDirectory /home
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp
[...]

Now users are restricted and cannot leave the configured directory:

andrea@localhost's password:
sftp> pwd
Remote working directory: /

Enabling a restricted SSH is more complicated: SSH needs many components like BASH, libraries and so on. The reason is simple: if a user enters to a confined environment, it cannot access components outside the confined environment. All required components must be copied to the path where users are “chrooted”.

Posted on 24 Feb 2014 by Andrea.
  • Gmail icon
  • Twitter icon
  • Facebook icon
  • LinkedIN icon
  • Google+ icon