How to set up SFTP with ChrootDirectory on Linux.

If you want the default directory that users start in to be writable then you must create their home directory under the chroot. Else you can get errors type of:

Nov ** 12:35:00 sftp-server sshd[10267]: Accepted password for user
from localhost port 39150 ssh2
Nov ** 12:35:00 sftp-server sshd[10269]: fatal: bad ownership or modes
for chroot directory "/home/user01" 

After sshd has chrooted to the ChrootDirectory, it will chdir to the home directory as normal. So, for a passwd line like:

user@localhost:~$ cat /etc/passwd | egrep user0 
user01:x:1001:1001:,,,:/home/user01:/bin/bash
user02:x:1002:1002:,,,:/home/user02:/bin/bash
user@localhost:~$

insert in /etc/ssh/sshd_config:

Match User user01
    ChrootDirectory /incoming
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
Match User user02
    ChrootDirectory /incoming
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Create directories:

root@localhost :/$ mkdir -p /incoming/home/user01
root@localhost :/$ mkdir -p /incoming/home/user02
root@localhost :/$ chown user01.user01 /incoming/home/user01
root@localhost :/$ chown user02.user02 /incoming/home/user02
root@localhost :/$ chmod 750 /incoming/home/user01
root@localhost :/$ chmod 750 /incoming/home/user01

Last directory is user-owned, everything else must be root-owned.

A variant of this that yields less deep directory trees would be to set
the passwd file up as:

user01:x:1001:1001:,,,:/user01:/bin/bash     /home/user01 <-> /user01
user02:x:1002:1002:,,,:/user02:/bin/bash

Also look to http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Scroll to top