Jail a SFTP user chrooted to home directy using bind mount.

Today we will add a username to a home dir home directory (/home/bob/) that has access to your website in your vhost directory (/var/www/vhosts/pants.com). The best part they cannot ssh to the server, they will only access via sftp clients.

NOTE: (replace variable words username or domain.com with actual name)

Configure User

Create a group to assign a chroot to:
groupadd sftponly

Configuring User (replace word username with actual username):
useradd -m -d /home/username -s /bin/false -G www-data,sftponly username

Add password: passwd username

Set up new homedir  Permissions getting read for bind.
chmod 755 /home/username
mkdir  /home/username/domain.com
chown username:www-data /home/username/domain.com
chmod 775 /home/username/domain.com

Configure SSH

Inside /etc/ssh/sshd_config put a comment # in front of the following line:
Subsystem sftp /usr/lib/openssh/sftp-server
So it will now be: #Subsystem sftp /usr/lib/openssh/sftp-server

Add the following directly after the commented line:
Subsystem sftp internal-sftp

Add the following set of lines to the very bottom of the file:

Match Group sftponly
     ChrootDirectory %h
     X11Forwarding no
     AllowTCPForwarding no
     ForceCommand internal-sftp

Restart sshd or ssh service.

Setup Bind Mount

Add the following to /etc/fstab file:
/var/www/vhosts/domain.com /home/username/domain.com  none    bind,rw    0 0

Mount the Bind:
mount -a

Type mount to see that it’s mounted. Check to see if you see vhost content in /home/username/domain.com/.

Login via Sftp to the user to test if you can get out, and read/write to the folder domain.com.

jim has written 83 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>