creating a jailed SFTP users on Debian

#openssl

#debian

#ubuntu

#sftp

#chroot

#jailed

Every so often I have to create a jailed SFTP user account for one of our servers at work, so a 3rd party developer can hack away on WordPress or whatever, without being tempted to access our codebase for other projects.

Here's what you do:

choose your jail. I chose /jail
groupadd sftp-only ( first time only )
useradd -g sftp-only -d /jail --shell /sbin/nologin bob
htpasswd bob
add this to /etc/ssh/sshd_config:

Match group sftp-only
  ChrootDirectory %h
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp
  PubkeyAuthentication no
  RSAAuthentication no
  PasswordAuthentication yes

chown root:root /jail
chown root:root /jail/bob
chmod 755 /jail/bob
mkdir /jail/bob/fylez
chown bob:sftp-only /jail/bob/fylez
service sshd restart

Written by Sean Macdonald

Say Thanks

Respond

Related protips

Fix SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

81.09K

Checking an SSL certificate for SHA-2 hash algorithm

35.56K

Checking if a CSR is signed with SHA-2 hash algorithm

21.97K

2 Responses

Add your response

thomshouse

If you're going to be jailing multiple users, you can modify the sshd_config Match block to:

Match group sftp-only

Actually, that's probably how I would do it even with one user, since you're already creating the stfp-only group.

over 1 year ago ·

sean9999

good point. i've updated the code. Note to other readers, I previously used Match user, which would require more manual maintenance work as users come and go

over 1 year ago ·