Nitsan Reznik
asked on
Restrict Multiple SFTP Users to the same Home Directories Using chroot Jail.
Dear All,
We have created a chrooted jail environment for our SFTP access. Using chrooted environment, we restrict users either to their home directory or to a specific directory. Now my question is if there's anyway we can an additional username to access the same home directory for other username? Or any other words, is there anyway I can assign different usernames to the same home-directory and have it chrooted jail?
Below is our current config if that helps:
group add sftponly
vi /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp- server
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
systemctl restart sshd.service
useradd USERNAME –g sftponly –s /bin/false
passwd USERNAME
mkdir /home/USERNAME/SFTPWRITE
chown root /home/USERNAME
chmod 755 /home/USERNAME
chown USERNAME /home/USERNAME/SFTPWRITE
chmod 755 /home/USERNAME/SFTPWRITE
setsebool –P ssh_chroot_rw_homedirs on
We have created a chrooted jail environment for our SFTP access. Using chrooted environment, we restrict users either to their home directory or to a specific directory. Now my question is if there's anyway we can an additional username to access the same home directory for other username? Or any other words, is there anyway I can assign different usernames to the same home-directory and have it chrooted jail?
Below is our current config if that helps:
group add sftponly
vi /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
systemctl restart sshd.service
useradd USERNAME –g sftponly –s /bin/false
passwd USERNAME
mkdir /home/USERNAME/SFTPWRITE
chown root /home/USERNAME
chmod 755 /home/USERNAME
chown USERNAME /home/USERNAME/SFTPWRITE
chmod 755 /home/USERNAME/SFTPWRITE
setsebool –P ssh_chroot_rw_homedirs on
Untried and untested, but if you set the SFTP user's home directory to group +rwx, adding all your other users to that group should give them the access they need. Then just specify that directory as the root jail for all users.
You my need to create a directory where all users can access (selinux settings) and filesystem rights.
and then (Either symlink all user directories in the chroot to point there OR create a private /etc/passwd where all users have the same home directory. )
and then (Either symlink all user directories in the chroot to point there OR create a private /etc/passwd where all users have the same home directory. )
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.