Created
September 10, 2012 13:14
-
-
Save franklinkim/3690837 to your computer and use it in GitHub Desktop.
Simple chroot without the need of jail or other packages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Add a group for sftp only | |
$ addgroup sftponly | |
# Add a new user | |
# Note: We are using public key authentification, so leave the password blank | |
$ adduser USERNAME | |
# Add the user to the sftp only group | |
$ adduser USERNAME sftponly | |
# [optional] Add the user to some other groups like www-data | |
$ adduser USERNAME GROUPNAME | |
# Add the user's public key so he can log in | |
$ mkdir /home/USERNAME/.ssh | |
$ vim /home/USERNAME/.ssh/authorized_keys | |
$ chmod 0700 /home/USERNAME/.ssh | |
$ chmod 0600 /home/USERNAME/.ssh/authorized_keys | |
$ chown -R USERNAME:USERNAME /home/USERNAME/.ssh | |
# In this example we're using the user's home folder as the chroot | |
# so we need to change the owner and group of the user's home folder to root | |
$ chown root:root /home/USERNAME | |
# Now we configure the sftp only group | |
$ vi /etc/ssh/sshd_config | |
# Change the Subsystem line to internal-sftp | |
Subsystem sftp internal-sftp | |
# At the end of the file add the following lines | |
Match GROUP sftponly | |
AllowTcpForwarding no | |
ForceCommand internal-sftp | |
# %h is a shortcut for the user's home folder | |
ChrootDirectory %h | |
# Restart the ssh service | |
$ service ssh restart | |
# As symlinks don't work in a chroot environment a simple way to provide resources | |
# is to mount these folder into the chroot environment. To make sure they're still | |
# available on a system reboot, we add them to the fstab config | |
$ vi /etc/fstab | |
# Add the following line(s) depending on your needs | |
/PATH/TO/EXPOSED_FOLDER /home/USERNAME/EXPOSED_FOLDER none defaults,bind 0 0 | |
# Note: To be able to mount, the /home/USERNAME/EXPOSED_FOLDER needs to exists | |
$ mkdir /home/USERNAME/EXPOSED_FOLDER | |
# Mount all configured entries in the fstab config | |
$ mount -a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment