0
I know there is different versions of this question. but I am trying to give each user a folder within chroot directory and he/she should not be able to navigate outside the assigned folder.
What I have is a Red Hat 7.1 Linux box in the cloud. What I need is:
- create a group exchangefiles
- restrict group to SFTP
- I have more than one user Legacy1, Legacy2, Legacy3
- Create user/password for each user
- Create folders under /exchangefolder for each user
- restrict users to their assigned folders (no navigation outside their folders). e.g.
- Legacy1 user can only SFTP to /exchangefolder/Legacy1
- Legacy2 user can only SFTP to /exchangefolder/Legacy2
After this all I need to do whenever I have a new user is to add it to this group and no other group and give it access to a folder under /exchangefolder
I used instructions mentioned in "https://passingcuriosity.com/2014/openssh-restrict-to-sftp-chroot/" then modified "/etc/ssh/sshd_config" by adding
Match Group exchangefiles
# Force the connection to use the built-in SFTP support.
ForceCommand internal-sftp
# Chroot the connection into the specified directory.
#ChrootDirectory /home/exchangefiles/%u
#ChrootDirectory /home/exchangefiles
*ChrootDirectory %h*
# Disable network tunneling
PermitTunnel no
# Disable authentication agent forwarding.
AllowAgentForwarding no
# Disable TCP connection forwarding.
AllowTcpForwarding no
# Disable X11 remote desktop forwarding.
X11Forwarding no
created
/home/exchangefiles
$ ls -ltr
total 16
drwxrwxr-x 2 root exchangefiles 4096 Jul 11 11:12 files
drwxrwxr-x 2 root exchangefiles 4096 Jul 11 15:31 sftptest2
drwxrwxr-x 3 root exchangefiles 4096 Jul 11 16:16 sftptest1
drwxrwxr-x 3 root exchangefiles 4096 Jul 11 18:32 sftptest3
and the folder structure below it.
I created the user as per the link above. but then I tried to set for each user home directory in the jail structure. e.g. USER sftptest1 will have a home directory
/home/exchangefiles/sftptest1
the problem is that I can not SFTP unless I change
ChrootDirectory %h
to
ChrootDirectory /home/exchangefiles
which defeats my purpose of creating separate folder for each user (sort of jail within jail)
is this doable? what is the best way to do it?