Simple jail for user with open-ssh

Question

Possible Duplicate:
Restricting an SSH/SCP/SFTP user to a directory

Can I confine my users to their /home/%u directory using simply open-ssh configuration? I did the following from what I found on the Internet Stopped the server To the sshd_config file appended the following

Match group sftpusers
    ChrootDirectory /home/%u
    X11Forwarding no
    AllowTcpForwarding no

started the server

FYI I have the users added to sftpusers group

My users can still access entire file structure on my system

Ubuntu Server 12.04 LTS with open-ssh installed

score 2 · Answer 1 · answered Oct 04 '12 at 20:22

You also need to use Subsystem sftp internal-sftp. Forbid all the other forwardings, and ForceCommand internal-sftp.

Also, as said in sshd_config man page, the directory to chroot into must be owned by root and not writable by anybody, which probably is not the case for your /home/%u.

Probably, you'd want:

sudo mkdir -p /jail/home
sudo mount --bind /home /jail/home

and have

ChrootDirectory /jail

Or to restrict users to their own directory, you'd need a bind-mount for each user:

cd /home
for u in */ do
  sudo mkdir -p "/jail/$u/home/$u"
  sudo mount --bind "$u" "/jail/$u/home/$u"
done

And have

ChrootDirectory /jail/%u

Simple jail for user with open-ssh

1 Answers1

Linked

Related