If you want an easy way to setup jailed SFTP users on CentOS 5.x, this is hands down the fastest way to get there. What is a “jailed SFTP user” you ask? Well let’s say you want to give a client access to their hosted files on your VPS hosting account. By default, if you give a user SFTP access they can browse the entire file system when they connect – not just their own site content. Not good. You need to be able to limit (“jail”) them to a certain directory so they only see their own files.
There are a lot of guides out there that set out to achieve this – most of them also include allowing SSH access (which in most cases you don’t need), and they’re fairly complicated. I spent a lot of time trying to find a solution that just worked and didn’t involve me trying to compile things from sources, change a huge amount of configuration files, etc.
Eventually I found this guide which is very straightforward. I’m going to republish it here because a) the original site is down sometimes, and b) I wanted to clarify a couple points.
They most important step is the first step – upgrading OpenSSH to version 5.x. Version 4.x of OpenSSH which is included in CentOS is missing the necessary functions to “chroot” the users (i.e. set their root directory when they login) so that they can only view files that are under their virtual root directory. Once upgraded, it’s just a few lines of config changes and some basic user setup and you’re good to go. Feel free to ask in comments for help if you get stuck.
** Make sure you are root or using sudo for this to work
1. Upgrade to OpenSSH 5.x
## fetch the packages - 64-bit system wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-5.1p1-3.el5.hrb.x86_64.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-clients-5.1p1-3.el5.hrb.x86_64.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-server-5.1p1-3.el5.hrb.x86_64.rpm
– or –
## fetch the packages - 32-bit system wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-5.1p1-3.el5.hrb.i386.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-clients-5.1p1-3.el5.hrb.i386.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-server-5.1p1-3.el5.hrb.i386.rpm
## upgrade OpenSSH rpm -Uvh openssh-*
2. Comment out the following line in ‘/etc/ssh/sshd_config’
Subsystem sftp /usr/libexec/openssh/sftp-server
3. Append these lines to the end of ‘/etc/ssh/sshd_config’
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no
4. Add the ‘sftponly’ user group
5. Modify the user’s group and shell
usermod -g sftponly jsmith usermod -s /bin/false jsmith
6. Set the proper filesystem permissions
(John Smiths’s home directory is /home/jsmith and his website is in /home/jsmith/public_html)
chmod 755 /home/jsmith/ chmod 755 /home/jsmith chown root:root /home/jsmith chown jsmith:sftponly /home/jsmith/public_html
7. Restart the SSHD daemon
Pretty easy, eh? And remember, you can tweak the config in step 3 to support additional scenarios.