The following sets up a jail environment for SFTP only file transfer for a specific user.
openssh-server and a Ubuntu based OS.
Create a new user home folder
sudo mkdir /home/sftuser
Create the user
sudo adduser --home /home/sftpuser/ sftpuser
Edit the openssh-server config
sudo vim /etc/ssh/sshd_config
Make sure you have the following line in it
Subsystem sftp internal-sftp
In my case I commented the default out with a pound sign:
Subsystem sftp internal-sftp #/usr/lib/openssh/sftp-server
Append the following to end of the config
Match User sftuser ChrootDirectory /home/sftuser AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
Restart sshd service
sudo service sshd restart
Create a writable directory
sudo mkdir /home/sftuser/writable
Allow the user to own that writable folder
sudo chown sftuser:sftuser /home/sftuser/writable
You should have the following folders
adminuser is our admin level account home folder. You will probably have a different name for your admin/sudoers level account. This account was the first user we setup during OS installation. The user we are currently using to SSH in.
ls -al /home total 16 drwxr-xr-x 4 root root 4096 Oct 28 10:23 . drwxr-xr-x 23 root root 4096 Oct 28 10:22 .. drwxr-xr-x 5 adminuser adminuser 4096 Oct 28 10:50 adminuser drwxr-xr-x 4 root root 4096 Oct 28 10:44 sftpuser
ls -al /home/sftpuser/ total 16 drwxr-xr-x 4 root root 4096 Oct 28 10:44 . drwxr-xr-x 4 root root 4096 Oct 28 10:23 .. drwx------ 2 sftpuser sftpuser 4096 Oct 28 10:34 .cache drwxr-xr-x 2 sftpuser sftpuser 4096 Oct 28 10:51 writeable
Test it is secure
- FileZilla try escape directory.
- OpenSSH client try getting a bash shell.
Let me know what you think of this article on twitter @M3PGS or leave a comment below!