Results 1 to 6 of 6

Thread: sftp chroot

  1. #1
    Join Date
    Sep 2009
    Location
    Alverca do Ribatejo, Portugal
    Posts
    53

    Default sftp chroot

    Hello all!

    I have the following chroot config for ssh/sftp:
    Code:
    Match Group sftpchroot
            ChrootDirectory /home
            ForceCommand internal-sftp
            AllowTcpForwarding no
    Whenever I make an sftp login with a user that belongs to the sftpchroot group the folder shown is /home instead of /home/$USER as expected.

    How can I change this...

    Best regards,
    Jorge

  2. #2

    Default Re: sftp chroot

    Quote Originally Posted by jorgeraimundo View Post
    Hello all!

    I have the following chroot config for ssh/sftp:
    Code:
    Match Group sftpchroot
            ChrootDirectory /home
            ForceCommand internal-sftp
            AllowTcpForwarding no
    Try replacing "/home" with "%h".

  3. #3
    Camalen NNTP User

    Default Re: sftp chroot

    jorgeraimundo wrote:

    > I have the following chroot config for ssh/sftp:
    >
    > Code:
    > --------------------
    > Match Group sftpchroot
    > ChrootDirectory /home
    > ForceCommand internal-sftp
    > AllowTcpForwarding no
    > --------------------
    >
    >
    > Whenever I make an sftp login with a user that belongs to the
    > sftpchroot group the folder shown is /home instead of /home/$USER as
    > expected.
    >
    > How can I change this...


    Test it with:

    ***
    ChrootDirectory /home/%u
    ***

    Greetings,

    --
    Camalen

  4. #4
    Join Date
    Sep 2009
    Location
    Alverca do Ribatejo, Portugal
    Posts
    53

    Default Re: sftp chroot

    Hi!

    Thank you both for replying!

    I've tried with ChrootDirectory /home/%u or ChrootDirectory %h which is the same, but that poses a problem.

    If I chroot directly to the user's home I'll have to chown /home/$USER to root:root, otherwise the chroot won't be successful.
    But if I do that, then the user will not be able to do anything in /home/$USER. And unless it has already some folders inside that belong to him, he won't be able to do a single thing.

    Therefore I set ChrootDirectory /home and the user umask to 077 so that no one can peek on the other's home.

    Like this the user is able to fully use it's home, it's still able to go up one level and see which folders exist (not elegant) but it's freedom ends there.

    Everything would be almost perfect if it went directly to /home/$USER instead of /home.

    Thank you for your time.

    Best regards,
    Jorge

  5. #5
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,925
    Blog Entries
    14

    Default Re: sftp chroot

    I've read this and I still don't understand what you're trying to achieve. My ftp users all chroot to a /blabla/ftp/%u, which makes them have their own little dropbox on my server. They cannot look into eachother's folders. Nor explore the system.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  6. #6
    Join Date
    Sep 2009
    Location
    Alverca do Ribatejo, Portugal
    Posts
    53

    Default Re: sftp chroot

    My ftp users all chroot to a /blabla/ftp/%u
    My ftp users too. I have no problem chrooting ftp to /home/%u.
    It's with SFTP that I'm having a bit of trouble.
    If I tell sftp to chroot to /home/%u, I'll have to chown root:root all the /home/%u folders. And that's not nice for the users because it limits their actions on their own homes.

    Hope I made myself clear.

    Best regards,
    Jorge

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •