Ok, this post is in my draft section for to long lol. A while ago I needed to share some files from my home backup server to my friend. I didn’t have FTP server installed. I could give him SFTP access, but I didn’t want to give him access to my entire server. So I needed a way to create sftp user and chroot him in one directory. I foud out that you can do that with OpenSSH. It’s recomended to upgrade your OpenSSH first if you have old version. Read more if you’re interested.
In this tutorial we want to give our friend Derp chrooted SFTP access to our server. In this case I’m doing this under FreeBSD. If you’re doing that on Linux machine, use proper Linux commands instead.
Here is how we do it:
- First you have to create sftp group. Group can be named whatever you like:
[root@awesomeness~]# pw groupadd sftp
- Create a new user and put him in sftp group that we created in step 1. We will create user Derp. Specify his home directory so that will be inside our sftp home directory (check step 4). Make shure that he don’t have shell access (nologin). Then set password for new user.
[root@awesomeness~]# pw useradd derp -g sftp -d /usr/local/sftp/derp -s /sbin/nologin
Set password:
[root@awesomeness~]# passwd derp
- Now you have to setup sftp-server Subsystem in sshd_config. Add/modify this lines in your /etc/ssh/sshd_config. /usr/local/sftp will be our root directory for SFTP transfers.Comment this line:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Add this lines:
Subsystem sftp internal-sftp Match Group sftp ChrootDirectory /usr/local/sftp/%u ForceCommand internal-sftp
- Now we need to create sftp home directory. I will do that in /usr/local:
[root@awesomeness/usr/local]# mkdir sftp
Create home directory inside sftp/for our Derp:
[root@awesomeness/usr/local]# mkdir sftp/derp
/sftp/derp is like / directory for our Derp. Now you have to create new directory inside /sftp/derp that will be visible by Derp. In this case, directory share.
[root@awesomeness/usr/local/sftp/derp]# mkdir share
- You need to setup right permissions in order to get this working:
Directory /usr/local/sftp/derp/share must be owned by sftp group and user derp:[root@awesomeness/usr/local/sftp/derp]# chown derp:sftp share
[root@awesomeness/usr/local/sftp/derp]# ls -l total 2 drwxr-xr-x 2 derp sftp 2 Jun 13 20:26 share
Anything below must be owned by root:
[root@awesomeness/usr/local/sftp]# chown root:wheel derp/ [root@awesomeness/usr/local]# chown root:wheel sftp/
Result:
drwxr-xr-x 3 root wheel 3 Jun 13 20:28 derp drwxr-xr-x 3 root wheel 3 Jun 13 20:28 sftp
- Now restart your SSH server:
[root@awesomeness~]# /etc/rc.d/sshd restart
- Try out if it’s working:
[root@derp ~]# sftp derp@sftp.derp.net Password: Connected to sftp.derp.net. // Connected! sftp> ls share sftp> cd .. //Hey Derp! What are you trying to do there!? sftp> ls share //Ups! Can’t go below Depr’s home directory!
That’s it! Power to the SSH! I hope it’s working for you too. Enjoy your sharing.
Ajm sori if maj Ingliš is bed. :)