OpenSSH 4.9 was the first version of the famous daemon that came with an built-in chroot functionality (changelog). Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files. We will use the rssh shell to only allow sftp access for one user, locked to his chrooted home directory. Since it is dangerous to give a user write access to the root of a chroot, you have to create the user’s home directory inside the chroot. In this example /home/ftp will be the chroot and /home/ftp/secftp is the home directory of the user, the place where he finds himself when connecting to the machine.
Install the rssh shell with
$ aptitude install rssh
and adjust the config file for the user secftp to allow sftp access.
$ vim /etc/rssh.conf
user=secftp:027:00010 #user:umask:proto
Then add the new user secftp (with /secftp as home and /usr/bin/rssh as shell) to your system and set a password.
$ useradd -d /secftp -s /usr/bin/rssh -g users secftp
$ passwd secftp
Create the directory and adjust the ownership so secftp can read/write and other group members can read the uploaded files.
$ mkdir -p /home/ftp/secftp
$ chown secftp:users /home/ftp/secftp
Edit your sshd configuration and add the user specific options for your chroot. Don’t forget to add secftp to your AllowUsers (which you should have configured :)).
$ vim /etc/ssh/sshd_config
AllowUsers secftp
Subsystem sftp internal-sftp
Match User secftp
ChrootDirectory /home/ftp
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Restart the sshd daemon and you should be done.
Sources:
http://www.gossamer-threads.com/lists/openssh/dev/44657
http://hp.kairaven.de/scpsftp/ssh-rssh-sftp.html
http://www.debian-administration.org/articles/590