Hi!

I'm running a LAMP server on a linode360 and all are going pretty well.

For now I have only 3 sites migrated, and all of them belongs to me. But I want to move some other sites of my customers pretty soon.

So I dont want that any user (using SFTP only, ftpd not installed) can access to any path rather than their entire home directory ( i.e. /home/user1 ).

I Googled this topic and I found a lot of info, but all is pretty old and not sure about what method can be more secure (i.e. when doing reconfigure for scponly it says that can be a root exploit hole!).

I found http://www.minstrel.org.uk/papers/sftp/builtin/ and I think that this will be a good and easy method. So I did the following:

I have added this to /etc/ssh/sshd_config

# Use the following line to *replace* any existing 'Subsystem' line
Subsystem       sftp    internal-sftp

# These lines must appear at the *end* of sshd_config
Match Group sftponly
        ChrootDirectory %h
        ForceCommand internal-sftp
   AllowTcpForwarding no

And after make these changes to existing user:

usermod -G sftponly user1

usermod -s /bin/false user1

The second part is working fine, now the user1 can only do SFTP, and cant access to SSH shell.

But the first part is not working as expected because the ChrootDirectory %h directive makes the user being disconnected from SFTP I tried with /home/%u but still the same.

If I deactived the ChrootDirectory %h line, then the user can connect again to SFTP, but cant access to other users home too

Please, can someone help me?

By the way, I'm using Debian 5.0 as deployed by Linode and openssh from Debian repository.

Ok... I followed this other article: http://www.debian-administration.org/article/OpenSSH_SFTP_chroot_with_ChrootDirectory

And now the user can connect to SFTP, but cant access to ANY directory, neither his /home/user directory...

I can only see the directory tree for / (but cant access to any directory in it).

And when trying to access to his website I get a "Forbidden. You don't have permission to access / on this server." access error

Please, any help would be very apprecited...

Have a look at this topic if an alternate method feels sufficient to you.
http://www.linode.com/forums/viewtopic.php?t=4408

Thank you very much for your reply melon.

I was aware about that topic, but is about using the scponly method that I dont want to use because of the risk that can be.

Finally I found the problem with the ssh_config method...

If I change

ChrootDirectory %h

to

ChrootDirectory /home

I get this working

But I cant change that directory to the user home (i.e. /home/user1), I dont know why

Can someone help PLEASE?

Did you do the following from http://www.minstrel.org.uk/papers/sftp/builtin/ ?


These threads give some explanation for this requirement.

I'm using ChrootDirectory successfully, but there are a couple quirks to getting it right:

1- The ChrootDirectory has to refer to the parent directory of the one you want to lock people into. If you want your user to only have access to /var/foo/bar, then you need to set
ChrootDirectory /var/foo

2- Permissions must be set correctly on all the parent folders. Bad ownership will cause the login to get denied. In the above example, /var/foo should be owned root:root.

If you find the login is failing, always check /var/log/auth.log. The reason, for example bad directory ownership, will usually be in there.