Log on
Main page Graphics Photography Music & Audio Audio Plugins Video Tools Web Design Documents Space Astro Amiga Funny Surreal Gallery Links & Contact

Setting up SFTP with chroot on Debian.


I found three faulty guides on how to do this, so let me write another (probably also faulty) one.
First, let us create a user called "blabla" that will be restricted to his/her home directory named /home/blabla. For this, you need to create a new "sftp_users" group using groupadd command as shown (remove the # from all these examples):
# sudo groupadd sftp_users
Next, create the user blabla in the sftp_users group and give it a password.
# sudo useradd -m -G sftp_users blabla # sudo passwd blabla
Now because of the odd way sshd's ftp support works, the user's home dir must be owned by "root", and it must not be writable by either the group or other users.
# sudo chown root:sftp_users /home/blabla # sudo chmod 0755 /home/blabla
And because root now owns this user's folder, he won't be able to write stuff in his own folder, so we need to add a sub folder with write access:
# sudo mkdir /home/blabla/files # sudo chown blabla:sftp_users /home/blabla/files
Then we need to make some changes to the end of the /etc/ssh/sshd_config file. First look for the line that starts with "Subsystem ... ", and change it to:
Subsystem sftp internal-sftp
We also need to add a section to the end of the file because of some weirdnesses with the way this configuration file is parsed. The indentation needs to be the same way as here.
Match Group sftp_users ForceCommand internal-sftp ChrootDirectory %h PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
After editing the file, restart your sshd:
# sudo systemctl restart sshd
You should now be able to use WinSCP or the likes to access the "files" folder, but ssh should not be accessible.

Giving access to folders outside the jail

To enable on boot, edit /etc/fstab and add this line at the end:
/home/otheruser/stuff /home/blabla/external none rw,bind 0 0
And you need to create a folder for the mount point, and add it at start-up:
# sudo mkdir -p /home/blabla/external # sudo mount -a

Mounting the folder from OSX

Download Fuse and sshfs and install them. Now edit this file:
# sudo nano /etc/ssh/ssh_config
And locate the section that has "Host *" in it, and add this line below it:
Host * IPQoS=throughput
Now create an empty directory that works as a mount point and mount it using sshfs. For this simple example you will need to enter the password every time, but there are also guides online on to store a public/private ssh login permanently:
# mkdir remotefolder # sshfs blabla@someserver.com: remotefolder



Website by Joachim Michaelis