Short: SFTP chroot for user to web root
I needed sometimes to grant access to web root for developer/friends and don’t want to allow them “chillout” thru directories . Here is sample how to setup SSHD server to allow sftp connection and chroot it to home directory – basically lock user via SFTP to Virtual Home for web server.
- create group sft
groupadd sftp
- add user – adding him to group sftp / false login as shell / home diectory setup for his next “chrooted” root and his username and finally set password, like
useradd –g sftp –s /bin/false –d /var/www/home/vhost/site.com username passwd username
- Now, its time to configrue SSHD daemon – on RHEL / Fedora and most of them its located in /etc/ssh directory – edit sshd_config filevi /etc/sshd/sshd_configand modify/add this to end of file:
# override default of no subsystems #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp # Example of overriding settings on a per-user basis Match group sftp ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
- Last thing – restart sshd
/etc/init.d/sshd restart
- One more thing – be careful with permissions on HOME directory
chown username:sftp /var/www/home/vhost/site.com
- now lets copy something to it via WinSCP windows client
download application WinSCP which is Windows SCP/SFTP client , very powerfull, just missing plugin for TotalCommander, sniff - Create connection via New in WinSCP
- and hit login , you will be prompted for accepting ssh fingerprint and voila, we are in, and nowhere else to move
let me know, if you find it usefull.
Recent Comments