How to configure chrooted users with SFTP-only access.
Environment
- Red Hat Enterprise Linux
Issue
- Learn how to set up chrooted users with SFTP-only access, using SSH keys.
Resolution
Create a chroot sftp user.
# useradd testuser
Create an sftp group.
# groupadd sftpusers
Add the chroot user to the sftp group.
# usermod -aG sftpusers testuser
Make a root directory for the chroot users.
# mkdir /sftp
Create the user's chroot directory.
# mkdir /sftp/testuser
Configure the correct permissions and ownership for the chroot directory.
# chown testuser:testuser /sftp/testuser
# chmod 700 /sftp/testuser
Ensure that the user is able to access the directory:
# sudo -u testuser ls /sftp/testuser
If it fails, add the explore permission for others for all directories until HOME:
chmod o+x /sftp/
Create an .ssh directory with an authorized_keys file in the user's /home/directory.
# mkdir /home/testuser/.ssh
# touch /home/testuser/.ssh/authorized_keys
# chmod 700 /home/testuser/.ssh
# chmod 600 /home/testuser/.ssh/authorized_keys
Copy and paste the contents of the .ssh/id_rsa.pub file from the client into the authorized_keys file that you just created.
Configure the correct ownership of the .ssh directory and the authorized_keys file.
# chown testuser:testuser /home/testuser/.ssh
# chown testuser:testuser /home/testuser/.ssh/authorized_keys
Change the Subsystem line in the /etc/ssh/sshd_config file.
Subsystem sftp internal-sftp
Add a Match block at the end of the /etc/ssh/sshd_config file.
Match Group sftpusers
ChrootDirectory /sftp/
ForceCommand internal-sftp -d /%u
Restart the sshd service.
Red Hat Enterprise Linux 6
# service sshd restart
Red Hat Enterprise Linux 7 or newer
# systemctl restart sshd
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments