While configuring a SFTP server for public use in your organization you will often require that user’s of the SFTP server can only access his home directory and its sub-directories. All other directories should be inaccessible to him so as to create a separation and maintaining security among all users. This is called “chroot-jail” in FTP terminology.
In this article we will learn how to setup such an environment.
Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5). If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later.
Below is a sample chroot sftp configuration:
1. Create a specific chrooted directory.
[root@sftp~]# mkdir /chroot/home
2. Mount it to /home as follows:
[root@sftp~]# mount -o bind /home /chroot/home
3. Edit /etc/ssh/sshd_config as follows:
[root@sftp~]# vim /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Please ensure the directories of Chroot Directory, “/chroot” in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration.
4. Restart SSH service
[root@sftp~]# service sshd restart