SFTP Jailed

How to configure a FTP Secured and Jailed

To configure your server to use a jailed user on SFTP you should do:

  1. Edit the sshd_config file

We need to comment the following line:

Subsystem sftp /usr/libexec/openssh/sftp-server

And add the uncomment line, your modification will be same as:

# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Also, at the end of the file we should to add the next lines:

Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

After save all the changes, we must restart the sshd daemon

service sshd restart
  1. Add sftponly group

    groupadd sftponly
  2. Add jailed user and add to sftponly group

    useradd -m USERNAME
    passwd USERNAME
    usermod -aG sftponly,apache USERNAME
  3. IMPORTANT: Create directory and establish correct permissions

    chown root:root /home/USERNAME
    chmod 755 /home/USERNAME
    chown apache:apache /home/USERNAME/TEST.DOMAIN.COM
    chmod 775 /home/USERNAME/TEST.DOMAIN.COM
    mkdir /var/www/vhost/TEST.DOMAIN.COM
    chown apache:apache /var/www/vhost/TEST.DOMAIN.COM
    chmod 775 /var/www/vhost/TEST.DOMAIN.COM

If you have any connection problem please double check the permissions on the folders and check the logs on /var/log/secure

tail -f /var/log/secure
  1. Mount DocumentRoot path on jailed user home directory

    mount -o bind,noatime /var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM
  2. Make the mount point permanent, editing the fstab file:

    vi /etc/fstab</pre>

Add the mount point at the end of the file:

/var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM none bind,noatime 0 0

Save and exit

  1. Test connection:

    sftp SERVERIP
Luis Cacho
Linux Administrator III

Linux Administrator at Rackspace | Contributor at Kubernetes