Simple Jailed SFTP Users With CentOS

May 17, 2011

In System Admin

9092 views

If you want an easy way to setup jailed SFTP users on CentOS 5.x, this is hands down the fastest way to get there. What is a “jailed SFTP user” you ask? Well let’s say you want to give a client access to their hosted files on your VPS hosting account. By default, if you give a user SFTP access they can browse the entire file system when they connect – not just their own site content. Not good. You need to be able to limit (“jail”) them to a certain directory so they only see their own files.

There are a lot of guides out there that set out to achieve this – most of them also include allowing SSH access (which in most cases you don’t need), and they’re fairly complicated. I spent a lot of time trying to find a solution that just worked and didn’t involve me trying to compile things from sources, change a huge amount of configuration files, etc.

Eventually I found this guide which is very straightforward. I’m going to republish it here because a) the original site is down sometimes, and b) I wanted to clarify a couple points.

They most important step is the first step – upgrading OpenSSH to version 5.x. Version 4.x of OpenSSH which is included in CentOS is missing the necessary functions to “chroot” the users (i.e. set their root directory when they login) so that they can only view files that are under their virtual root directory. Once upgraded, it’s just a few lines of config changes and some basic user setup and you’re good to go. Feel free to ask in comments for help if you get stuck.

** Make sure you are root or using sudo for this to work

1. Upgrade to OpenSSH 5.x

## fetch the packages - 64-bit system
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-5.1p1-3.el5.hrb.x86_64.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-clients-5.1p1-3.el5.hrb.x86_64.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-server-5.1p1-3.el5.hrb.x86_64.rpm

– or –

## fetch the packages - 32-bit system
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-5.1p1-3.el5.hrb.i386.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-clients-5.1p1-3.el5.hrb.i386.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-server-5.1p1-3.el5.hrb.i386.rpm

then…

## upgrade OpenSSH
rpm -Uvh openssh-*

2. Comment out the following line in ‘/etc/ssh/sshd_config’

Subsystem     sftp     /usr/libexec/openssh/sftp-server

3. Append these lines to the end of ‘/etc/ssh/sshd_config’

Subsystem     sftp     internal-sftp
Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no

4. Add the ‘sftponly’ user group

groupadd sftponly

5. Modify the user’s group and shell

usermod -g sftponly jsmith
usermod -s /bin/false jsmith

6. Set the proper filesystem permissions

(John Smiths’s home directory is /home/jsmith and his website is in /home/jsmith/public_html)

chmod 755 /home/jsmith/
chmod 755 /home/jsmith
chown root:root /home/jsmith
chown jsmith:sftponly /home/jsmith/public_html

7. Restart the SSHD daemon

/etc/init.d/sshd restart

Done!

Pretty easy, eh? And remember, you can tweak the config in step 3 to support additional scenarios.

Mostly Irrelevant