Chroot Users With sftp

General Information

This walkthrough will root your users to their home directory for those users you don’t want browsing all over your FreeBSD machine. I would suggest doing this at your console or possibly running a script to kill all the running sshds and then starting the sshd2 deamon.

Requirements

  1. Console root access

Installation

Install ssh2 from the ports collection:

# cd /usr/ports/security/ssh2
# make install clean

Configuration

In /usr/local/etc/ssh2/sshd2_config set the ChRootGroups and ChRootUsers directives to chroot the group(s) and/or user(s) that are to have ChRooted access.

Turn off the default ssh (OpenSSH) by setting the following in /etc/rc.conf:

sshd_enable="NO"

Turn on ssh2 by setting the following in /etc/rc.conf:

sshd2_enable="YES"

Now kill sshd and make sure there aren't anymore sshd processes running:

# killall sshd
# ps -auxw | grep sshd

Start the new ssh:

# /usr/local/etc/rc.d/sshd.sh start

When you create the user's account, make sure the shell is set to /bin/nologin or something similar.

With this setup, they can sftp in and are chroot to the home dir and they can't get a shell when they connect via ssh.

In my opinion, OpenSSH should have this feature. We are told not to use ftp because of clear-text passwords, so we have to use ssh/sftp, but when we do that we can no longer chroot people to their home dirs! And if we're not careful, we end up giving them a login shell. Using ssh2 from the ports gets around this limitation, but just check the licence before you install to make sure that you qualify (otherwise it's not free).

Special thanks to:

  1. Gavin (Sh4d03)
  2. Wincent

Speak Your Mind

*