Chroot Users using SFTP

In order to secure your filesystem in the event your clients need access to their virtual or home directories, I would suggest using the chroot command available within ssh.

In /etc/ssh/sshd_config add the following at the bottom. Anyone in the chroot group will land in their home folder.

# vi /etc/ssh/sshd_config

Now edit the following within the sshd_config file:

Match group chroot
ChrootDirectory %u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

You will now want to restart sshd

# /etc/rc.d/sshd restart

Now add a new group called chroot

# pw addgroup chroot

Add a new user and apply the following attributes:

Make sure the new user is in group chroot
Make sure the shell is set to nologin (This will allow them to scp in but NOT ssh in)
Make their home directory is set to any directory.

So when you're done you need to set the perms on the home folder and then the files within that folder.

# chown -R root:chroot username
# cd username
# chown -R username:chroot *

When your user logs in it will chroot them to their directory :-)

Once you do this it should chroot user just fine :-)

freebsdrocks.net facts

freebsdrocks.net was started originally as nospam.mine.nu.

freebsdrocks.net started as a site originally with a custom qmail install similar to qmailrocks.

Get in touch

vinnie@freebsdrocks.net

____Report a broken link