2010
03.07

Jailed SFTP Users With CentOS

Category: HowTo, Linux / Tag:  / Add Comment

Offering SFTP-only jailed user accounts is useful in many scenarios such as shared web hosts, storage space for friends, etc.

This tutorial is specific to CentOS 5.4 x86 64-bit. Other flavors will vary.

** Make sure you are root or using Sudo

1. Upgrade to OpenSSH 5.x

## fetch the packages
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-5.1p1-3.el5.hrb.x86_64.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-clients-5.1p1-3.el5.hrb.x86_64.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-server-5.1p1-3.el5.hrb.x86_64.rpm

## upgrade OpenSSH
rpm -Uvh openssh-*

2. Comment out the following line in ‘/etc/ssh/sshd_config’

Subsystem     sftp     /usr/libexec/openssh/sftp-server

3. Append these lines to the end of ‘/etc/ssh/sshd_config’

Subsystem     sftp     internal-sftp
Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no

4. Add the ’sftponly’ user group

groupadd sftponly

5. Modify the user’s group and shell

(I’ll use the completely random username: bree_olson)

usermod -g sftponly bree_olson
usermod -s /bin/false bree_olson

6. Set the proper filesystem permissions

(Bree’s home directory is /home/bree_olson and her website is in /home/bree_olson/public_html)

chmod 755 /home/bree_olson/
chmod 755 /home/bree_olson
chown root:root /home/bree_olson
chown bree_olson:sftponly /home/bree_olson/public_html

7. Restart the SSHD daemon

/etc/init.d/sshd restart

And that is it! Just be sure to repeat steps 5 and 6 for all the pornstars users that you wish to lockdown.

4 comments so far

Add Your Comment
  1. T3CH.com » Jailed SFTP Users With CentOS | Just linux! said: 2010.03.07 19:19

    [...] Originally posted here:  T3CH.com » Jailed SFTP Users With CentOS [...]

  2. William Peckham said: 2010.06.24 16:28

    This is not the first how-to I have seen on this technique, but might be the best one for use with a CentOS system. Thank you!

  3. joet3ch said: 2010.06.24 21:04

    Cool! Thanks for visiting William :)

  4. William Peckham said: 2010.06.28 13:24

    You are welcome, and I thank you in return for the effort you put into this tutorial.

    I am waiting for the OpenSSH team to add the code and config file options to manipulate the group ownership and/or file permissions for delivered files. That seems a recurring issue and none of the solutions I have seen are generally compatible with this technique.
    Some depend upon scripting, others upon interaction with PAM: we need an OpenSSH internal solution that will work everywhere.

    If such a solution becomes available, please consider adding mention of it to your tutorial.

Your Comment