• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • VCS
  • Interview Questions
  • Database
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL : How to set up chroot jail SFTP

by admin

chrooting sftp is a feature provided by the OpenSSH package in Linux. You can set up a chroot environment to avoid unwanted alterations of the system including uploads in unwanted locations when users are making use of sftp. When you chroot sftp for a specific user or all the users, the users can only access their home directories and subdirectories under it.

Method 1 (by openssh natively)

Starting from openssh-5.x version, sftp could chroot to specific directory. The following steps could implement the native openssh chroot for sftp.

1. Create the jail directory.

# mkdir /chroot/home

2. Mount it to /home as follows:

# mount -o bind /home /chroot/home

3. Edit /etc/ssh/sshd_config as follows:

# vi /etc/ssh/sshd_config
ChrootDirectory /chroot
Subsystem sftp internal-sftp

4. restart the sshd service:

# service sshd restart
Note: Please ensure the jail directory should be root owned and could not writable by any other user or group.

Method 2 (by using pam_chroot)

1. Add chroot into /etc/pam.d/sshd file:

# vi /etc/pam.d/sshd
session required pam_chroot.so

2. Modify /etc/security/chroot.conf to include the chroot directory.

# vi /etc/security/chroot.conf
user /chroot_dir

3. Modify /etc/ssh/ssh_config

# vi /etc/ssh/ssh_config
Subsystem sftp /usr/libexec/openssh/sftp-server

4. Restart sshd to apply new configuration:

# service sshd restart

Filed Under: Linux

Some more articles you might also be interested in …

  1. chrt Command Examples in Linux
  2. Linux OS Service ‘portreserve’
  3. Understanding rsyslog Actions
  4. acme.sh – Shell script implementing ACME client protocol, an alternative to certbot (Command Examples)
  5. doctl apps: Used to manage digitalocean apps
  6. arp-scan: Send ARP packets to hosts (specified as IP addresses or hostnames) to scan the local network
  7. xclip: command not found
  8. lvdisplay error: “Failed to create directory /var/lock/lvm. File-based locking initilisation failed.”
  9. How to disable “sudo su” for users in sudoers configuration file
  10. ffmpeg: Video conversion tool

You May Also Like

Primary Sidebar

Recent Posts

  • gml2gv Command Examples
  • glow Command Examples
  • glib-compile-resources Command Examples
  • glances Command Examples

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright