http://cooker.wbitt.com/index.php?title=SFTP_chroot&action=history Revision history for this page on the wiki en MediaWiki 1.15.1 Sat, 20 Jun 2026 09:26:08 GMT http://cooker.wbitt.com/index.php?title=SFTP_chroot&diff=1509&oldid=prev <p>Created page with &#39;&lt;pre&gt; [root@lnxlan215 ~]# tail /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X…&#39;</p> <p><b>New page</b></p><div>&lt;pre&gt;<br /> [root@lnxlan215 ~]# tail /etc/ssh/sshd_config <br /> Subsystem sftp /usr/libexec/openssh/sftp-server<br /> <br /> # Example of overriding settings on a per-user basis<br /> #Match User anoncvs<br /> # X11Forwarding no<br /> # AllowTcpForwarding no<br /> # ForceCommand cvs server<br /> <br /> Match Group webmasters <br /> ChrootDirectory %h<br /> [root@lnxlan215 ~]# <br /> <br /> service sshd restart<br /> <br /> <br /> [root@bilaltest ~]# ssh web1@192.168.122.1<br /> web1@192.168.122.1's password: <br /> Read from remote host 192.168.122.1: Connection reset by peer<br /> Connection to 192.168.122.1 closed.<br /> [root@bilaltest ~]# <br /> <br /> <br /> <br /> [root@lnxlan215 ~]# tail -f /var/log/secure<br /> May 21 11:20:54 lnxlan215 sshd[23458]: pam_unix(sshd:session): session opened for user kamran by (uid=0)<br /> May 21 11:20:58 lnxlan215 sshd[23458]: pam_unix(sshd:session): session closed for user kamran<br /> May 21 11:21:09 lnxlan215 sshd[23502]: Accepted password for web1 from 192.168.122.119 port 40135 ssh2<br /> May 21 11:21:09 lnxlan215 sshd[23502]: pam_unix(sshd:session): session opened for user web1 by (uid=0)<br /> May 21 11:21:09 lnxlan215 sshd[23511]: fatal: bad ownership or modes for chroot directory &quot;/home/web1&quot;<br /> May 21 11:21:09 lnxlan215 sshd[23502]: pam_unix(sshd:session): session closed for user web1<br /> May 21 11:21:39 lnxlan215 sshd[23554]: Accepted password for web1 from 192.168.122.119 port 40136 ssh2<br /> May 21 11:21:39 lnxlan215 sshd[23554]: pam_unix(sshd:session): session opened for user web1 by (uid=0)<br /> May 21 11:21:39 lnxlan215 sshd[23562]: fatal: bad ownership or modes for chroot directory &quot;/home/web1&quot;<br /> May 21 11:21:39 lnxlan215 sshd[23554]: pam_unix(sshd:session): session closed for user web1<br /> ^C<br /> [root@lnxlan215 ~]# <br /> <br /> <br /> <br /> ---------<br /> <br /> Right, this is on purpose. We ban this because allowing a user write<br /> access to a chroot target is dangerously similar to equivalence with<br /> allowing write access to the root of a filesystem.<br /> <br /> If you want the default directory that users start in to be writable<br /> then you must create their home directory under the chroot. After<br /> sshd(8) has chrooted to the ChrootDirectory, it will chdir to the<br /> home directory as normal. So, for a passwd line like:<br /> <br /> djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh<br /> <br /> Create a home directory &quot;/chroot/djm/home/djm&quot;. Make the terminal &quot;djm&quot;<br /> directory user-owned and writable (everything else must be root-owned).<br /> Set &quot;ChrootDirectory /chroot&quot; in /etc/config.<br /> <br /> The directory specified for “ChrootDirectory” and all its parents up to / should be :<br /> # owned by root<br /> # not group or other writable<br /> <br /> A variant of this that yields less deep directory trees would be to set<br /> the passwd file up as:<br /> <br /> djm:*:1000:1000:Damien Miller:/upload:/bin/ksh<br /> <br /> Create &quot;/chroot/djm/upload&quot;, with &quot;upload&quot; the only user-owned and writable<br /> component. <br /> <br /> ------------<br /> <br /> <br /> <br /> [root@lnxlan215 ~]# mkdir /ssh-chroot/home/web1 -p<br /> <br /> <br /> man 5 sshd_config<br /> <br /> ChrootDirectory<br /> Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories<br /> that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.<br /> <br /> The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced<br /> by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.<br /> <br /> The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this<br /> requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and<br /> tty(4) devices. For file transfer sessions using “sftp”, no additional configuration of the environment is necessary if the in-process sftp<br /> server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details).<br /> <br /> The default is not to chroot(2).<br /> <br /> ----------<br /> <br /> http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229<br /> -----------<br /> <br /> Notice that if any of the following is missing the users will not be able to logon to the chroot:<br /> <br /> *The /proc filesystem needs to be mounted in the users' chroot.<br /> <br /> *The necessary /dev/pts/ devices need to exist. If the files are generated by your running kernel automatically then you have to manually create them on the chroot's /dev/.<br /> <br /> *The user's home directory has to exist in the chroot, otherwise the ssh daemon will not continue.<br /> <br /> <br /> <br /> <br /> &lt;/pre&gt;</div> Sat, 21 May 2011 11:29:04 GMT Kamran http://cooker.wbitt.com/index.php/Talk:SFTP_chroot