JT501/jail_sftp_user.md

Last active November 17, 2019 06:16

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/JT501/550114b123cc50bfd489f7d7720d7ec3.js"></script>
Save JT501/550114b123cc50bfd489f7d7720d7ec3 to your computer and use it in GitHub Desktop.

Download ZIP

Jail SFTP user into their directories

Raw

jail_sftp_user.md

Jail SFTP user into their directories

Create user group sftpgroup
Add user into sftpgroup
Modify etc/ssh/sshd_config :

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Write at the bottom of the same file :

Match group sftpgroup
# The following two directives force ben_files to become chrooted
# and only have sftp available. No other chroot setup is required.
ChrootDirectory /home/%u
ForceCommand internal-sftp
# For additional paranoia, disallow all types of port forwardings.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

Change the /home/%u (%u = username) ownership to root:root (no recursive)
Change the /home/%u (%u = username) permission to 0755
Restart SSH Server

Author

JT501 commented Jul 29, 2018

Webmin shell command

Add a custom command to handle setting up and cleaning up the chroot:

Virtualmin -> System Settings -> Virtualmin Configuration ->Actions upon server and user creation -> Command to run after making changes to a server: /home/chroot.sh

Create the /home/chroot.sh as follows:

#!/bin/sh

if   [ "$VIRTUALSERVER_ACTION" == "CREATE_DOMAIN" ]
  then
	if [ "$VIRTUALSERVER_CREATED" ]
    	then
    		echo "Change /home/$VIRTUALSERVER_USER ownership to root:root"
			chown root:root /home/$VIRTUALSERVER_USER 
    		echo "done"
    		echo "Change /home/$VIRTUALSERVER_USER premission to 755"
        	chmod 755 /home/$VIRTUALSERVER_USER 
    		echo "done"
     fi
fi

It will change the user home directory's ownership & permission automatically after creating a new virtual server.