Simple chroot without the need of jail or other packages
See gist:
# Add a group for sftp only
$ addgroup sftponly
# Add a new user
# Note: We are using public key authentification, so leave the password blank
$ adduser USERNAME
# Add the user to the sftp only group
$ adduser USERNAME sftponly
# [optional] Add the user to some other groups like www-data
$ adduser USERNAME GROUPNAME
# Add the user's public key so he can log in
$ mkdir /home/USERNAME/.ssh
$ vim /home/USERNAME/.ssh/authorized_keys
$ chmod 0700 /home/USERNAME/.ssh
$ chmod 0600 /home/USERNAME/.ssh/authorized_keys
$ chown -R USERNAME:USERNAME /home/USERNAME/.ssh
# In this example we're using the user's home folder as the chroot
# so we need to change the owner and group of the user's home folder to root
$ chown root:root /home/USERNAME
# Now we configure the sftp only group
$ vi /etc/ssh/sshd_config
# Change the Subsystem line to internal-sftp
Subsystem sftp internal-sftp
# At the end of the file add the following lines
Match GROUP sftponly
AllowTcpForwarding no
ForceCommand internal-sftp
# %h is a shortcut for the user's home folder
ChrootDirectory %h
# Restart the ssh service
$ service ssh restart
# As symlinks don't work in a chroot environment a simple way to provide resources
# is to mount these folder into the chroot environment. To make sure they're still
# available on a system reboot, we add them to the fstab config
$ vi /etc/fstab
# Add the following line(s) depending on your needs
/PATH/TO/EXPOSED_FOLDER /home/USERNAME/EXPOSED_FOLDER none defaults,bind 0 0
# Note: To be able to mount, the /home/USERNAME/EXPOSED_FOLDER needs to exists
$ mkdir /home/USERNAME/EXPOSED_FOLDER
# Mount all configured entries in the fstab config
$ mount -a
Written by franklin
Related protips
Have a fresh tip? Share with Coderwall community!
Post
Post a tip
Best
#Server
Authors
Sponsored by #native_company# — Learn More
#native_title#
#native_desc#