This short guide will show you how to build a system where SFTP users are chrooted into their home directories, effectively preventing them from snooping around your system.
sudo (available in the ports tree). chroot_safe is a clever piece of software which allows chrooting for dynamically linked applications without having to copy libraries into the chroot directory.
NOTE: You need to create the /dev/null device in each user's home directory... e.g.:
mknod /dev/null c 2 2
The sftp server requires access to /dev/null starting in more recent releases, and the chroot_safe script does not provide it that access.
Write a wrapper script which does the chrooting for sftp-server (the binary used for SFTP operations on the server side). Because chrooting can only be done by root, this script will re-execute itself under root permissions (with the help of sudo). Don't worry, permissions are dropped as soon as the chroot is running. Save the chrooted SFTP wrapper script in ##/usr/lib/ssh/sftp-server-chroot##:
#!/bin/sh if [ "$UID" != "0" ] ; then exec /usr/bin/sudo "$0" fi exec /usr/sbin/chroot_safe "$SUDO_USER" "$HOME" /usr/lib/ssh/sftp-server
Add restricted SFTP users. This is exactly like adding normal users, except the SFTP users' shell is set to /usr/lib/ssh/sftp-server-chroot. This will prevent them from using the account for anything else than chrooted SFTP.
# useradd -s /usr/lib/ssh/sftp-server-chroot -m <user> # passwd <user>
Add the following line in
/etc/sudoers for each new SFTP user you add. This will allow the sftp-server-chroot wrapper script to get root permissions for the actual chroot operation.
<user> ALL=NOPASSWD: /usr/lib/ssh/sftp-server-chroot
Because we are aiming for a secure SFTP-only account, you might want to disable TCP port forwarding in
/etc/ssh/sshd_config. Unfortunately, this has the side effect of disabling TCP forwarding even for normal users. At the moment there's no workaround available. Make sure your sshd_config has the following line (and it's not commented out):
You're done! Before handing out usernames and passwords, you might want to check that the chroot really works correctly, i.e. the user can't get out of the SFTP jail.