login about faq
0
1

How do I chroot users so that they cannot get out of their home directories when using SFTP?

asked Dec 29 '10 at 19:33

SSH%20KB's gravatar image

SSH KB ♦
509249246237


To chroot users to their home directories when using SFTP in 4.x:

  1. Edit the following line in the configuration file /etc/ssh2/sshd2_config:

ChRootUsers user1,user2,user3

If all the users are in the same group, edit the following instead:

ChRootGroups group1,group2,group3

  1. Also set the internal sftp-server in sshd2_config:

subsystem-sftp internal://sftp-server

  1. Edit the /etc/passwd file so that the user's shell is set to /bin/ssh-dummy-shell. This is a good practice in case the server is accidentally started with a different configuration file and the user is not chrooted to her home directory. However, ssh-dummy-shell is not needed or used when the user is successfully chrooted.

Note: If the ssh-dummy-shell binary is not static, you need to copy also the libraries the binary needs under the chroot jail. You can check the shared library dependencies with ldd command.

  1. Restart the SSH Tectia Server and try to connect with SFTP as user1, and verify that the environment is chrooted.

For instructions on how to do this with 5.x and later versions, please see the SSH Tectia Server's Administrator's Guide, Chapter 7, "File Transfer", "Restricting Services" section.

link

answered Dec 29 '10 at 19:33

SSH%20KB's gravatar image

SSH KB ♦
509249246237

edited Jan 27 '11 at 08:27

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×6

Asked: Dec 29 '10 at 19:33

Seen: 3,025 times

Last updated: Jan 27 '11 at 08:27

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.