From openssh version 4.9p1 up, chroot jail module has been built in, which makes the chroot jail restriction in sftp as possible as in ftp. Or it means ftp no more!<\/p>\n
referring to this link: http:\/\/www.minstrel.org.uk\/papers\/sftp\/builtin\/<\/p>\n
after downloading and tar -zxvf the source tar ball:<\/p>\n
.\/configure –prefix=\/usr –sysconfdir=\/etc\/ssh –with-pam –with-tcp-wrappers<\/p>\n
make; make install<\/p><\/blockquote>\n
then vi or nano the \/etc\/ssh\/sshd_config:<\/p>\n
replacing the Subsystem line with<\/p>\n
Subsystem\u00a0\u00a0\u00a0 sftp\u00a0\u00a0\u00a0 internal-sftp<\/p><\/blockquote>\n
adding these line at the end of the file:<\/p>\n
Match group sftponly<\/p>\n
ChrootDirectory %h<\/p>\n
ForceCommand internal-sftp<\/p>\n
AllowTcpForwarding no<\/p><\/blockquote>\n
now create the group ‘sftponly’:<\/p>\n
sudo groupadd sftponly<\/p><\/blockquote>\n
now create a user for chroot jailed sftp and this user will also be prevented from ssh-ing:<\/p>\n
sudo useradd -g sftponly -d \/home\/user1 -s \/bin\/false<\/p><\/blockquote>\n
or if you want to assign an already existed user to this purpose:<\/p>\n
sudo usermod -g sftponly -d \/home\/user1 -s \/bin\/false<\/p><\/blockquote>\n
now do something about his directory:<\/p>\n
sudo chown root:root \/home\/user1; sudo chmod 755 \/home\/user1<\/p><\/blockquote>\n
now you can sftp to this chroot jailed directory but you will find you can’t write into it. Here is the trick:<\/p>\n
cd \/home\/user1; sudo mkdir home; cd home; sudo mkdir user1; chown user1:sftponly user1<\/p><\/blockquote>\n
this solves the problem. This is because in chroot jailed situation, \/home\/user1 actually acts as \/ for sftped user1 and \/home\/user1\/home\/user1 actually acts as \/home\/user1 and since it is owned by user1, it can be written.<\/p>\n
Don’t try to directly chown \/home\/user1 to user1:sftponly or chmod to 777, it’ll cause sftp login to fail.<\/p>\n","protected":false},"excerpt":{"rendered":"
From openssh version 4.9p1 up, chroot jail module has been built in, which makes the chroot jail restriction in sftp as possible as in ftp. Or it means ftp no more! referring to this link: http:\/\/www.minstrel.org.uk\/papers\/sftp\/builtin\/ after downloading and tar -zxvf the source tar ball: .\/configure –prefix=\/usr –sysconfdir=\/etc\/ssh –with-pam –with-tcp-wrappers make; make install then vi … Continue reading “not ftp any more”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1210","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=\/wp\/v2\/posts\/1210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1210"}],"version-history":[{"count":0,"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=\/wp\/v2\/posts\/1210\/revisions"}],"wp:attachment":[{"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/softbeam.net\/hobby\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}