How to setup a public rsync and sftp server

Question

I want to setup a public storage server which allows sftp and rsync (through ssh). I've got it working with a chroot jail and rssh. When the user connects to the server with sftp he can read all the files in the chroot jail (like /lib and /bin) in the chroot. Likewise with rsync (rsync --list-only user@server:/). I would like to have a setup where to user can only view and not leave his home directory.

An additional requirement is that the I don't want to setup a chroot environment for each user.

I already tried the chrootdirectory and forcecommand statements in sshd_config which works great for sftp but does not allow any rsync.

Answer 1

for the sftp part you might look at the directives Subsystem sftp internal-sftp together with ChrootDirectory in the sshd_config.

Answer 2

Did you try to setup commands on the accepted keys as proposed in Trying to setup chroot'd rsync ?

Excerpt:

Granting ssh access does not necessarily imply full shell access, for example, this shows how to use the ssh authorized_keys file to allow backup via rsync while limiting available commands to just the rsync receiver.

Something like this, in your authorized_keys file:

command="/usr/bin/rsync --server -a . /tmp/user1" ssh-rsa ... user1
command="/usr/bin/rsync --server -a . /tmp/user2" ssh-rsa ... user2

There's also pointers to two blog articles. The first explains how to restrict ssh to rsync:

• http://en.positon.org/post/Rsync-command-restriction-over-SSH

The second what you don't want, setting up a chroot environment.

• http://en.positon.org/post/SFTP-chroot-rsync

Personally I would go for the chroot and setting $USER/{bin|lib} as bind mounts. This way I would maintain a single chroot environment mounted on every user's chroot.