May was a big month for new releases from Linux Academy! Take a look at what our team built recently in our blog. You can access the newest releases from our blog.
Course Of The Month
3 days, 1 hour left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Hide Home Directories in CHROOT Jail
Posted on 2012-12-31
Hello,
I have a CHROOT jail for SFTP users that's working well but there's one thing that bugs me and I'd like to try to fix it if I could.
I have the following in my /etc/ssh/sshd_config file:
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /home
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
When I want to add an sftponly user I perform the following steps:
# useradd username
# passwd username
# usermod -g sftponly username
# mkdir /home/username
# chown username /home/username
# chmod 700 /home/username
This allows sftp only access to the user and they only have permissions to read and write in their own directory but, they can see a list of all of the other users directories in /home.
I would prefer it if when an sftponly user logs in via SFTP, only their home directory is visible or, something runs when they login via an SFTP client that automatically changes their directory and dumps them in their home folder.
I'm open to other ideas but the end result would be that the user doesn't see the other user's folders.
Thanks for any help! Happy New Year!
I have a CHROOT jail for SFTP users that's working well but there's one thing that bugs me and I'd like to try to fix it if I could.
I have the following in my /etc/ssh/sshd_config file:
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /home
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
When I want to add an sftponly user I perform the following steps:
# useradd username
# passwd username
# usermod -g sftponly username
# mkdir /home/username
# chown username /home/username
# chmod 700 /home/username
This allows sftp only access to the user and they only have permissions to read and write in their own directory but, they can see a list of all of the other users directories in /home.
I would prefer it if when an sftponly user logs in via SFTP, only their home directory is visible or, something runs when they login via an SFTP client that automatically changes their directory and dumps them in their home folder.
I'm open to other ideas but the end result would be that the user doesn't see the other user's folders.
Thanks for any help! Happy New Year!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
4 Comments
Active today
You could jail your users into their particular home directories instead of just /home.
This can be done in the "Match" block of sshd_config with
ChrootDirectory /home/%u
or
ChrootDirectory %h
which is equivalent in your case, because "%u" is a placeholder for the userid of the user logging in and "%h" is a placeholder for their complete home directory path.
This can be done in the "Match" block of sshd_config with
ChrootDirectory /home/%u
or
ChrootDirectory %h
which is equivalent in your case, because "%u" is a placeholder for the userid of the user logging in and "%h" is a placeholder for their complete home directory path.
Active today
Thanks for your response woolmilkporc.
I tried as you suggested and I end up with an authentication failure. I seem to remember this from when I was setting it up. Something about the root folder for the chroot jail must be owned by root.
In the past I wondered if the best solution was to somehow dump the user over to the /home/%u folder when they connected. This wouldn't necessarily stop them from traversing up a level to see the other user folders in /home but, it wouldn't smack them in the face with it either. Know what I mean?
I have no idea how I'd do that though if it's even possible (consider that nearly all uers will be connecting with an SFTP client like winscp).
Thanks again for your help. It is greatly appreciated.
I tried as you suggested and I end up with an authentication failure. I seem to remember this from when I was setting it up. Something about the root folder for the chroot jail must be owned by root.
In the past I wondered if the best solution was to somehow dump the user over to the /home/%u folder when they connected. This wouldn't necessarily stop them from traversing up a level to see the other user folders in /home but, it wouldn't smack them in the face with it either. Know what I mean?
I have no idea how I'd do that though if it's even possible (consider that nearly all uers will be connecting with an SFTP client like winscp).
Thanks again for your help. It is greatly appreciated.
Active today
OK,
I forgot to mention the details.
You're right, the chroot directory and all components of its path must be owned by root with write access by the owner (root) only.
But you can create a user-owned, user-writeable directory below ChrootDir, e..g /home/username/username.
Leave ChrootDir as /home/%u, but change the user's home directory to just "/username". sshd changes to this directory after chrooting (relative to the new root!), which means that the user will end up in /home/username/username.
Once logged in with sftp "pwd" will show
Remote working directory: /username
The user can well issue "cd .. ; ls" or "ls ..", but this will just show the contents of /home/username, not those of /home.
After "cd .." "pwd" will show:
Remote working directory: /
but this is in fact /home/username (the ChrootDir)
Please let me know if you need the detailed commands to implement this.
I forgot to mention the details.
You're right, the chroot directory and all components of its path must be owned by root with write access by the owner (root) only.
But you can create a user-owned, user-writeable directory below ChrootDir, e..g /home/username/username.
Leave ChrootDir as /home/%u, but change the user's home directory to just "/username". sshd changes to this directory after chrooting (relative to the new root!), which means that the user will end up in /home/username/username.
Once logged in with sftp "pwd" will show
Remote working directory: /username
The user can well issue "cd .. ; ls" or "ls ..", but this will just show the contents of /home/username, not those of /home.
After "cd .." "pwd" will show:
Remote working directory: /
but this is in fact /home/username (the ChrootDir)
Please let me know if you need the detailed commands to implement this.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything).
…
In part one, we reviewed the prerequisites required for installing SQL Server vNext.
In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn how to find files with the shell using the find and locate commands.
Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works. This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
- Linux
- Windows OS
- Networking
- Paessler
- Network Management
- Network Analysis, Network Operations
Suggested Courses
Course of the Month3 days, 1 hour left to enroll
695 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.