Monday, 27 February 2012

Limiting Access with SFTP Jails on Ubuntu

This post is based on this article with it's comments.

In the /etc/ssh/sshd_config file edit the Subsystem like this:
Subsystem sftp internal-sftp
Add these to the end of the file:
Match group filetransfer
  ChrootDirectory %h
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
Finally restart the OpenSSH server:
service ssh restart
Create the group for sftp access:
addgroup filetransfer
If you add this group to existing users, then they will be prevented to login via remote shell, though still be available through su.
usermod -G filetransfer username
chown root:root /home/username
chmod 755 /home/username
Now users cannot create anything in their jail, but it can be tuned with the last command. Though I personally use this technique to jail those users that are able to manage their own websites' content through sftp. I add those web directories through mount's bind option as the normal symlinks won't work. You can either add bindings via the /etc/fstab like this:
/existing/dir /dir/pointing/to/existing/one auto bind 0 0
or via the command line:
mount -o bind /existing/dir /dir/pointing/to/existing/one