For
$DAYJOB
I had to create user accounts for customers
and give them access to
SFTP
files to/from secured areas of our server.
We wanted to use
chroot
functionality to ensure
that no customer could see other customers' data,
and prevent them from poking around
potentially sensitive areas of the server.
After a bit of trial-and-error,
I've listed the lessons-learned here
in a cook-book fashion
so that in case I ever have to do it again,
I have the steps documented.
move the user's old home directory under the chrooted
/home
mv -v "/home/$NEWUSER" "$CHROOT"/home/
and then rename the chroot back to the original
/home/$NEWUSER
directory
mv -v "$CHROOT" "/home/$NEWUSER"
while a bit confusing,
I found that some users expected to have
$SFTP
drop them in
/
and be able to do a relative
cd home/$USER
while others expect to be dropped in their
$HOME
so by adding a fake
home/$USER
that points to the right place, it allows for both of these. This might be optional, but helps me stave off customer script breakage:
It might also stave off issues with the next step,
since the home directory in
/etc/passwd
can point to
/home/$NEWUSER/home/$NEWUSER
regardless of whether in the chroot or not
and still point to the right place.
we've messed with their home directory,
so update
/etc/passwd
to reflect where things should find the home directory now
now the user is configured properly,
so let
sshd
know how to treat members of the
customers
group.
Edit your
/etc/ssh/sshd_config
to include this block at the end:
Match Group customers
ChrootDirectory /home/%u
ForceCommand internal-sftp
PermitTunnel no
AllowTcpForwarding no
AllowAgentForwarding no
X11Forwarding no
/etc/ssh/sshd_config
I don't know whether
ForceCommand
kills off the ability to do
PermitTunnel,
AllowTcpForwarding,
AllowAgentForwarding,
X11Forwarding,
but I prefer to be explicit in my
"just in case, no, you can't do that either".
Send a
SIGHUP
to
sshd
to pick up the new configuration:
kill -HUP $PIDOFSSHD
or use your system's reload configuration utility like
rcctl
on OpenBSD
to pick up the new configuration:
rcctl reload sshd
And with that,
you should have chrooted SFTP access for
$NEWUSER
sftp user@hostname
(if not,
check the tail of your
/var/log/authlog
for hints).
However if you try to
ssh,
scp,
or
rsync,
it should reject your efforts
at the point you've entered your credentials:
For additional customers,
you can repeat steps 2 through 9.
I've created a shell-script
to do those steps
as well as a bit of other administrivia for
$DAYJOB
but that should give you the basics.