Last Updated: February 25, 2016
·
782
· franklinkim

Simple chroot without the need of jail or other packages

See gist:

# Add a group for sftp only
$ addgroup sftponly

# Add a new user 
# Note: We are using public key authentification, so leave the password blank
$ adduser USERNAME

# Add the user to the sftp only group
$ adduser USERNAME sftponly

# [optional] Add the user to some other groups like www-data
$ adduser USERNAME GROUPNAME

# Add the user's public key so he can log in
$ mkdir /home/USERNAME/.ssh
$ vim /home/USERNAME/.ssh/authorized_keys
$ chmod 0700 /home/USERNAME/.ssh
$ chmod 0600 /home/USERNAME/.ssh/authorized_keys
$ chown -R USERNAME:USERNAME /home/USERNAME/.ssh

# In this example we're using the user's home folder as the chroot
# so we need to change the owner and group of the user's home folder to root
$ chown root:root /home/USERNAME

# Now we configure the sftp only group
$ vi /etc/ssh/sshd_config

# Change the Subsystem line to internal-sftp
Subsystem sftp internal-sftp

# At the end of the file add the following lines
Match GROUP sftponly
        AllowTcpForwarding no
        ForceCommand internal-sftp
    # %h is a shortcut for the user's home folder
        ChrootDirectory %h

# Restart the ssh service
$ service ssh restart

# As symlinks don't work in a chroot environment a simple way to provide resources
# is to mount these folder into the chroot environment. To make sure they're still
# available on a system reboot, we add them to the fstab config
$ vi /etc/fstab

# Add the following line(s) depending on your needs
/PATH/TO/EXPOSED_FOLDER /home/USERNAME/EXPOSED_FOLDER none defaults,bind 0 0

# Note: To be able to mount, the /home/USERNAME/EXPOSED_FOLDER needs to exists
$ mkdir /home/USERNAME/EXPOSED_FOLDER

# Mount all configured entries in the fstab config
$ mount -a