SFTP Jailed

How to configure a FTP Secured and Jailed

To configure your server to use a jailed user on SFTP you should do:

  1. Edit the sshd_config file

We need to comment the following line:

Subsystem sftp /usr/libexec/openssh/sftp-server

And add the uncomment line, your modification will be same as:

# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Also, at the end of the file we should to add the next lines:

Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

After save all the changes, we must restart the sshd daemon

service sshd restart
  1. Add sftponly group
groupadd sftponly
  1. Add jailed user and add to sftponly group
useradd -m USERNAME
usermod -aG sftponly,apache USERNAME
  1. IMPORTANT: Create directory and establish correct permissions
chown root:root /home/USERNAME
chmod 755 /home/USERNAME
chown apache:apache /home/USERNAME/TEST.DOMAIN.COM
mkdir /var/www/vhost/TEST.DOMAIN.COM
chown apache:apache /var/www/vhost/TEST.DOMAIN.COM
chmod 775 /var/www/vhost/TEST.DOMAIN.COM

If you have any connection problem please double check the permissions on the folders and check the logs on /var/log/secure

tail -f /var/log/secure
  1. Mount DocumentRoot path on jailed user home directory
mount -o bind,noatime /var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM
  1. Make the mount point permanent, editing the fstab file:
vi /etc/fstab</pre>

Add the mount point at the end of the file:

/var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM none bind,noatime 0 0

Save and exit

  1. Test connection:
Luis Cacho
Luis Cacho
Security Systems Administrator III

Security Systems Administrator at Rackspace | Kubernetes Enthusiast | Ansible Ninja