how to restrict sftp only users to specific folder within the chroot directory

0

I know there is different versions of this question. but I am trying to give each user a folder within chroot directory and he/she should not be able to navigate outside the assigned folder.

What I have is a Red Hat 7.1 Linux box in the cloud. What I need is:

  • create a group exchangefiles
  • restrict group to SFTP
  • I have more than one user Legacy1, Legacy2, Legacy3
    • Create user/password for each user
    • Create folders under /exchangefolder for each user
    • restrict users to their assigned folders (no navigation outside their folders). e.g.
      • Legacy1 user can only SFTP to /exchangefolder/Legacy1
      • Legacy2 user can only SFTP to /exchangefolder/Legacy2

After this all I need to do whenever I have a new user is to add it to this group and no other group and give it access to a folder under /exchangefolder

I used instructions mentioned in "https://passingcuriosity.com/2014/openssh-restrict-to-sftp-chroot/" then modified "/etc/ssh/sshd_config" by adding

Match Group exchangefiles
# Force the connection to use the built-in SFTP support.
ForceCommand internal-sftp 
# Chroot the connection into the specified directory.
#ChrootDirectory /home/exchangefiles/%u
#ChrootDirectory /home/exchangefiles
*ChrootDirectory %h*
# Disable network tunneling
PermitTunnel no
# Disable authentication agent forwarding.
AllowAgentForwarding no
# Disable TCP connection forwarding.
AllowTcpForwarding no
# Disable X11 remote desktop forwarding.
X11Forwarding no

created

/home/exchangefiles
$ ls -ltr
total 16
drwxrwxr-x 2 root exchangefiles 4096 Jul 11 11:12 files
drwxrwxr-x 2 root exchangefiles 4096 Jul 11 15:31 sftptest2
drwxrwxr-x 3 root exchangefiles 4096 Jul 11 16:16 sftptest1
drwxrwxr-x 3 root exchangefiles 4096 Jul 11 18:32 sftptest3

and the folder structure below it.

I created the user as per the link above. but then I tried to set for each user home directory in the jail structure. e.g. USER sftptest1 will have a home directory

/home/exchangefiles/sftptest1

the problem is that I can not SFTP unless I change

ChrootDirectory %h

to

ChrootDirectory /home/exchangefiles

which defeats my purpose of creating separate folder for each user (sort of jail within jail)

is this doable? what is the best way to do it?

AMG

Posted 2016-07-12T17:39:51.770

Reputation: 1

Answers

0

From your description it sounds to me as if you want a separate chroot directory for each user: ChrootDirectory /home/exchangefiles/%u.

cjs

Posted 2016-07-12T17:39:51.770

Reputation: 380

Asked: 2016-07-12T17:39:51.770

Viewed: 1 818 times

Active: 2016-10-19T03:32:50.487