franklinkim/server-chroot-environment.sh

## server-chroot-environment.sh
# Add a group for sftp only
$ addgroup sftponly

# Add a new user
# Note: We are using public key authentification, so leave the password blank
$ adduser USERNAME

# Add the user to the sftp only group
$ adduser USERNAME sftponly

# [optional] Add the user to some other groups like www-data
$ adduser USERNAME GROUPNAME

# Add the user's public key so he can log in
$ mkdir /home/USERNAME/.ssh
$ vim /home/USERNAME/.ssh/authorized_keys
$ chmod 0700 /home/USERNAME/.ssh
$ chmod 0600 /home/USERNAME/.ssh/authorized_keys
$ chown -R USERNAME:USERNAME /home/USERNAME/.ssh

# In this example we're using the user's home folder as the chroot
# so we need to change the owner and group of the user's home folder to root
$ chown root:root /home/USERNAME

# Now we configure the sftp only group
$ vi /etc/ssh/sshd_config

# Change the Subsystem line to internal-sftp
Subsystem sftp internal-sftp

# At the end of the file add the following lines
Match GROUP sftponly
        AllowTcpForwarding no
        ForceCommand internal-sftp
	# %h is a shortcut for the user's home folder
        ChrootDirectory %h

# Restart the ssh service
$ service ssh restart

# As symlinks don't work in a chroot environment a simple way to provide resources
# is to mount these folder into the chroot environment. To make sure they're still
# available on a system reboot, we add them to the fstab config
$ vi /etc/fstab

# Add the following line(s) depending on your needs
/PATH/TO/EXPOSED_FOLDER /home/USERNAME/EXPOSED_FOLDER none defaults,bind 0 0

# Note: To be able to mount, the /home/USERNAME/EXPOSED_FOLDER needs to exists
$ mkdir /home/USERNAME/EXPOSED_FOLDER

# Mount all configured entries in the fstab config
$ mount -a
	# Add a group for sftp only
	$ addgroup sftponly

	# Add a new user
	# Note: We are using public key authentification, so leave the password blank
	$ adduser USERNAME

	# Add the user to the sftp only group
	$ adduser USERNAME sftponly

	# [optional] Add the user to some other groups like www-data
	$ adduser USERNAME GROUPNAME

	# Add the user's public key so he can log in
	$ mkdir /home/USERNAME/.ssh
	$ vim /home/USERNAME/.ssh/authorized_keys
	$ chmod 0700 /home/USERNAME/.ssh
	$ chmod 0600 /home/USERNAME/.ssh/authorized_keys
	$ chown -R USERNAME:USERNAME /home/USERNAME/.ssh

	# In this example we're using the user's home folder as the chroot
	# so we need to change the owner and group of the user's home folder to root
	$ chown root:root /home/USERNAME

	# Now we configure the sftp only group
	$ vi /etc/ssh/sshd_config

	# Change the Subsystem line to internal-sftp
	Subsystem sftp internal-sftp

	# At the end of the file add the following lines
	Match GROUP sftponly
	AllowTcpForwarding no
	ForceCommand internal-sftp
	# %h is a shortcut for the user's home folder
	ChrootDirectory %h

	# Restart the ssh service
	$ service ssh restart

	# As symlinks don't work in a chroot environment a simple way to provide resources
	# is to mount these folder into the chroot environment. To make sure they're still
	# available on a system reboot, we add them to the fstab config
	$ vi /etc/fstab

	# Add the following line(s) depending on your needs
	/PATH/TO/EXPOSED_FOLDER /home/USERNAME/EXPOSED_FOLDER none defaults,bind 0 0

	# Note: To be able to mount, the /home/USERNAME/EXPOSED_FOLDER needs to exists
	$ mkdir /home/USERNAME/EXPOSED_FOLDER

	# Mount all configured entries in the fstab config
	$ mount -a