This setup allows users to upload files to a specific pre-assigned directory on a Linux server It has a few use-cases, but the context of these instructions is as a Web server where each account uploads files to a different web site on the server Access is given to the root of the web site structure from where a user full access to all folders and files below but is unable to navigate up
Make sure you are running OpenSSH version greater than 4.8. CentOS/RHEL 6.x and up comes with version 5.3p1
Create User Accounts
This creates a new user account with default home directory /path/towebfolder/newwebdirectory
$sudo useradd userA -c "User's Description" -d /path/towebfolder/newwebdirectory/
Set the user's passwd
$sudo passwd userA
Restrict user access
This is an optional step, enable it only if you want to restrict who can ssh into the box
If you enable this, you also need to add the following line to the /etc/ssh/sshd_config
file
AllowGroups sshgroupname
Where sshgroupname is a group we previously created Add user to sshgroupname group
Remove terminal login access
Keep in mind that we are just creating an area where the user can upload web files, access to login to the server is not necessary
Edit /etc/passwd
file, find the line with the username and change the following
/bin/bash
to
/sbin/nologin
Tell ssh where to jail the user
Add the block below to the /etc/ssh/sshd_config
file
Make sure to use User
for the Match parameter. Do not use Group
. It does NOT jail the user/group
# UserA comments
Match User userA
ChrootDirectory /path/towebfolder/newwebdirectory
# Do not include htdocs in this path. It will lead to permissions errors.
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Reload sshd so that the above change take effect
$sudo service sshd reload
Create the htdocs web folder and set proper permissions
The top level home directory MUST be owned by root and must have 755 permissions
$cd /path/towebfolder/
$sudo chmod 755 newwebdirectory
$sudo chown root:root newwebdirectory/
Create htdocs folder and set proper permissions
The htdocs folder MUST be owned by the user and group the user belongs to
$cd newwebdirectory/
$sudo mkdir htdocs
$sudo chown userA:userA htdocs
NOTE:
At this point the user can upload files but there is no web site setup pointing to this new directory
Add an apache vhost section to /etc/httpd/conf.d/virtualhosts.conf
where virtualhosts.conf is the file you use to define Vhosts
I'm listing only the relevant line, you should know what else goes into the VirtualHost
section
<VirtualHost *:80>
...
DocumentRoot /home/httpd/newwebdirectory/htdocs
...
</VirtualHost>
restart apache
$sudo service httpd restart
OPTIONAL:
Copy web files to htdocs if migrating data from old website if necessary
Reset permissions on migrated files
$sudo chown -R userA:userA *
Some versions of Windows WinSCP client try to use scp by default instead of sftp So you have to explicitly configure WinSCP to use sftp
scp from the command line on linux or OSX won't work To use scp, the account you use needs to have a login shell, since the account we are creating does not have one, scp fails This is the same reason WinSCP does not work when it is set to use scp
OS Agnostic: FileZilla
Windows: WinSCP
http://v2.robbyt.com/2008/howto/chrooted-sftp-with-openssh-5/