ttist25
asked on
Hide Home Directories in CHROOT Jail
Hello,
I have a CHROOT jail for SFTP users that's working well but there's one thing that bugs me and I'd like to try to fix it if I could.
I have the following in my /etc/ssh/sshd_config file:
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /home
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
When I want to add an sftponly user I perform the following steps:
# useradd username
# passwd username
# usermod -g sftponly username
# mkdir /home/username
# chown username /home/username
# chmod 700 /home/username
This allows sftp only access to the user and they only have permissions to read and write in their own directory but, they can see a list of all of the other users directories in /home.
I would prefer it if when an sftponly user logs in via SFTP, only their home directory is visible or, something runs when they login via an SFTP client that automatically changes their directory and dumps them in their home folder.
I'm open to other ideas but the end result would be that the user doesn't see the other user's folders.
Thanks for any help! Happy New Year!
I have a CHROOT jail for SFTP users that's working well but there's one thing that bugs me and I'd like to try to fix it if I could.
I have the following in my /etc/ssh/sshd_config file:
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /home
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
When I want to add an sftponly user I perform the following steps:
# useradd username
# passwd username
# usermod -g sftponly username
# mkdir /home/username
# chown username /home/username
# chmod 700 /home/username
This allows sftp only access to the user and they only have permissions to read and write in their own directory but, they can see a list of all of the other users directories in /home.
I would prefer it if when an sftponly user logs in via SFTP, only their home directory is visible or, something runs when they login via an SFTP client that automatically changes their directory and dumps them in their home folder.
I'm open to other ideas but the end result would be that the user doesn't see the other user's folders.
Thanks for any help! Happy New Year!
ASKER
Thanks for your response woolmilkporc.
I tried as you suggested and I end up with an authentication failure. I seem to remember this from when I was setting it up. Something about the root folder for the chroot jail must be owned by root.
In the past I wondered if the best solution was to somehow dump the user over to the /home/%u folder when they connected. This wouldn't necessarily stop them from traversing up a level to see the other user folders in /home but, it wouldn't smack them in the face with it either. Know what I mean?
I have no idea how I'd do that though if it's even possible (consider that nearly all uers will be connecting with an SFTP client like winscp).
Thanks again for your help. It is greatly appreciated.
I tried as you suggested and I end up with an authentication failure. I seem to remember this from when I was setting it up. Something about the root folder for the chroot jail must be owned by root.
In the past I wondered if the best solution was to somehow dump the user over to the /home/%u folder when they connected. This wouldn't necessarily stop them from traversing up a level to see the other user folders in /home but, it wouldn't smack them in the face with it either. Know what I mean?
I have no idea how I'd do that though if it's even possible (consider that nearly all uers will be connecting with an SFTP client like winscp).
Thanks again for your help. It is greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Brilliant!
I've been trying to do that for a while now. Thanks so much.
HAPPY NEW YEAR!
I've been trying to do that for a while now. Thanks so much.
HAPPY NEW YEAR!
This can be done in the "Match" block of sshd_config with
ChrootDirectory /home/%u
or
ChrootDirectory %h
which is equivalent in your case, because "%u" is a placeholder for the userid of the user logging in and "%h" is a placeholder for their complete home directory path.