OpenSSH sftp chroot jail installation and configuration
This article will show you how you install a sftp server for making secure data transfer possible.
Some time ago I read about a new version of OpenSSH which had build in support for change root jail in the sftp subsystem. So I had to build up the OpenSSH server from source because no one hat precompiled packages for it. For your information we are using Debian (Etch). Read forward in our documentation to find out how to build such a server.
- 1 Install the needed dependencies
- 2 Download the actual sources from openssh.com
- 3 Untar and configure the sources
- 4 You have to change/add the following configuration parameters
- 5 Add a user to your system
- 6 Change the owner from the homedirectory of the created user
- 7 Start the new openssh daemon and have a lot of fun!
Install the needed dependencies
apt-get install libssl-dev zlib1g-dev libpam0g-dev
Download the actual sources from openssh.com
Untar and configure the sources
tar -zxvf openssh-5.1p1.tar.gz cd openssh-5.1p1.tar.gz ./configure --with-pam #this is important for authentication!!! make make install
The make install command installs the binaries under /usr/local/sbin and the configuration files under /usr/local/etc. If you like to use other paths you have to difine them with the ./configure command.
You have to change/add the following configuration parameters
UsePAM yes Subsystem sftp internal-sftp Match group sftponly ChrootDirectory /home/%u AllowTcpForwarding no ForceCommand internal-sftp
Add a user to your system
Place it into the usergroup "sftponly"
Give the user /bin/false as default login shell
Change the owner from the homedirectory of the created user
chwon root.root /home/youruser
Start the new openssh daemon and have a lot of fun!
Don't forget to stop your "old" openssh-server.
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config