Openssh Sftp Chroot

admin



Using OpenSSH you can bind SSH, SFTP, SCP users to their home directory and restrict them to access other directories on the SSH server. In this article we will configure SCP on chroot ssh jail in the secure chroot ssh environment.


Topic

  • How to configure chroot scp on CentOS 7?
  • How to configure chroot scp on RHEL 7?
  • Chroot scp configuration on Linux
  • Chroot scp server
  • scp chroot jail
  • scp over chroot ssh

Solution

Openssh sftp chroot windows

To chroot an SFTP directory, you must Create a user and force root to be owner of it sudo mkdir /home/john useradd -d /home/john -M -N -g users john sudo chown root:root /home/john sudo.

Setting up a secure or chroot ssh and scp environment requires a sandox environment which has its own libraries and binaries. In this article, we’ll bind all ssh and scp users who are part of chrootssh group into /data/chroot-ssh directory. This article has been tested on CentOS 7 and RHEL 7. You can refer to the steps given in this article to configure chroot ssh and scp on other Linux distributions.

  1. In order to setup SCP on chroot ssh jail, the prerequisite is to setup chroot SSH environment – click here.
  1. After chroot ssh environment setup is completed, execute following set of commands to get scp command working in chroot ssh sandbox environment.
  1. Remove all contents from /data/chroot-ssh/lib64 directory.
  1. Mount /lib64 directory at /data/chroot-ssh/lib64 directory with mount bind option.
  1. Copy scp binary to /data/chroot-ssh/bin/ directory.
  1. The sftp component from OpenSSH provides a chroot-feature for hardening. It is stated in documentation, that the chroot root directory must not be writable. This page documents some analysis results following discussion on openssh-dev mailing list. Some people were questioning the read-only restriction.
  2. Configure SSH Chroot Jail. Save the file and exit, and restart the SSHD services: # systemctl restart sshd OR # service sshd restart Step 5: Testing SSH with Chroot Jail. At this point, test if the chroot jail setup is working as expected: # ssh email protected-bash-4.1$ ls -bash-4.1$ date -bash-4.1$ uname.
  1. Create a passwd and group file in /data/chroot-ssh/etc directory and then copy the specific ssh user and group information to passwd and group file in /data/chroot-ssh/etc directory.
  1. Now restart sshd service then test scp file transfer from the client system.

Chroot Jail Ssh

Testing

Execute the following command for ssh login and scp file transfer testing.


If you have enjoyed the above article, the following are add on articles related to SCP on chroot ssh jail:

Ssh Chroot