Lets say you have a developer that needs to work on one of the sites that you are hosting on your web server in your basement and you don’t want them to have free range to everything on the box.  Another piece of this is you really don’t want the user to have SSH access either.  Sounds like a simple idea and really it is, but when you are new to Linux/Fedora this can be a little tricky.  Im hoping that this will help some people trying to get this to work on their web servers and being able to jail users into a specific directory.

I did get some great information from:

http://www.minstrel.org.uk/papers/sftp/builtin/

This was almost enough to get me through the whole thing.

So where is what I did:

1. Go to the end of this file emacs /etc/ssh/sshd_config and add:
   # override default of no subsystems
   #Subsystem      sftp    /usr/libexec/openssh/sftp-server
   Subsystem       sftp    internal-sftp# Example of overriding settings on a per-user basis
   Match Group sftponly
   X11Forwarding no
   AllowTcpForwarding no
   ChrootDirectory %h
   ForceCommand internal-sftp
2. Restart ssh: /etc/init.d/ssh restart
3. Create your user: useradd -d /path/to/chroot/dir username
4. Remove SSH Access: usermod -s /bin/false username
5. Set your the user to sftponly group: usermod -g sftponly -G sftponly username
6. KEY: Make sure the path to your chroot is set to: chown root:root /var/userdir
   That means /var and /var/userdir need to be root:root
   MAJOR KEY: Make sure you also chmod 700 to those directories also!!

Hope this helps some people out.

This entry was posted on Monday, September 22nd, 2008 at 12:42 am and is filed under Fedora, Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.