OpenSSH SFTP chroot() on Ubuntu

MySense

This tutorial is how to allow users to log in to Ubuntu server account with SSH or SFTP protocols and chroot them in their home folder.

This tutorial works on Ubuntu server 11.04, 11.10 and 12.04.

1. First install rssh shell

1. sudo apt-get install rssh

复制代码

2. Create user sftponly

1. sudo adduser sftponly

复制代码

3. Edit ssh config file

1. sudo vi /etc/ssh/sshd_config

复制代码

4. Add prefix -u 0022  to this line in sshd_config

1. Subsystem sftp /usr/lib/openssh/sftp-server -u 0022

复制代码

Optional - If you want to specify which users can log with ssh protocol, at the end of sshd_config file ad this line

1. AllowUsers user1 user2 user3 ...

复制代码

And to chroot users in their home folder

1. Match group sftponly
   
2.         ChrootDirectory /home/%u
   
3.         ForceCommand internal-sftp

复制代码

User home folder must be owned by root.root, and all subfolders must be owned by username.sftponly

1. sudo chown -R username.sftponly /home/userfolder
   
2. sudo chown root.root /home/userfolder

复制代码

In /etc/passwd change all users with ID bigger gruop ID. Look for /etc/group sftponly gid and change it for all existing users
In /etc/passwd change all users default shell to /usr/bin/rssh

internetpartner.info

MySense

I have recently setup a new webserver, using Cherokee on Ubuntu, and then had to undergo the task of giving SFTP access to users, so that they could upload their websites and files.


Here’s the instructions that I used, which we’re taken from http://shapeshed.com/journal/chr ... on_ubuntu_intrepid/
but didn’t entirely work, so I’m re-writing them with what worked on my webserver.


The process consists of 2 main steps

• create a user with the relevant settings
• setup ssh to work with the sftp group and accept inbound SFTP style connections
  

UserStuff
CREATE SFTP ACCOUNT

1. sudo groupadd sftp

复制代码

no need to use sudo if you’re logged in as root. Bad practice, I know, but  takes out some confusion for people.
CREATE A USER and set their home directory as the root of their website folder

1. sudo useradd -d /var/www/thewebsite.com username

复制代码

CREATE A PASSWORD

1. sudo passwd username

复制代码

MODIFY THE USER TO ADD THEM TO YOUR NEW SFTP GROUP

1. sudo usermod  -g sftp username

复制代码

MODIFY THE USER AND DENY ACCESS TO A SHELL – I.E THEY WON’T BE ABLE TO LOGIN TO A SHELL

1. sudo usermod -s /bin/false username

复制代码

SSH Stuff
EDIT YOUR SSH CONFIG FILE

1. sudo vim /etc/ssh/sshd_config

复制代码

CHANGE THE SUBSYSTEM line

Firstly comment out the following line

1. # Subsystem sftp /usr/lib/openssh/sftp-server

复制代码

Then add

1. Subsystem sftp internal-sftp

复制代码

Then add this to the bottom of the file

1. Match group sftp
   
2. 
   
3. X11Forwarding no
   
4. 
   
5. ChrootDirectory %h
   
6. 
   
7. AllowTcpForwarding no
   
8. 
   
9. ForceCommand internal-sftp

复制代码

at this point I decided to restart ssh just to make sure the changes were ok

1. sudo /etc/init.d/ssh restart

复制代码

If any of the lines are formatted badly ssh may not restart.
Finally you need to set the permissions of the website folder to allow access to the files for your new user. Basically, root needs to have access to the root website folder and your new user needs access to the files and folders beneath.

My websites live in /var/www. To check I issue

1. cd /var/www
   
2. ls -l

复制代码

This shows me that all the website root folders are owned by root root, which is correct. If they are not you need to

1. chown root:root thewebsite.com

复制代码

Then we need to set the permissions beneath this folder for the new user. So I

1. cd /var/www/thewebsite.com
   
2. chown username:sftp -R *

复制代码

Now when I issue an ls-l I can see all the files owned by my user and in the group SFTP

and That’s It
Now users can be given the username and password setup, use a STFP client, such as CoreFTP Lite, and SFTP into my Ubuntu box. They ONLY have access to their folder as the root of their access is their home folder. they cannot browse anywhere else.