OpenSSH SFTP chroot() with ChrootDirectory
Posted by niol on Tue 1 Apr 2008 at 10:49
The upcoming version of OpenSSH (4.8p1 for the GNU/Linux port) features a new configuration option : ChrootDirectory. This has been made possible by a new SFTP subsystem statically linked to sshd.
This makes it easy to replace a basic FTP service without the hassle of configuring encryption and/or bothering with FTP passive and active modes when operating through a NAT router. This is also simpler than packages such as rssh, scponly or other patches because it does not require setting up and maintaining (i.e. security updates) a chroot environment.
To enable it, you obviously need the new version 4.8p1. I personaly use the cvs version and the debian/ directory of the sid package to build a well integrated Debian package 4.8p1~cvs-1.
In /etc/ssh/sshd_config :
You need to configure OpenSSH to use its internal SFTP subsystem.
Subsystem sftp internal-sftp
Then, I configured chroot()ing in a match rule.
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
The directory in which to chroot() must be owned by root. After the call to chroot(), sshd changes directory to the home directory relative to the new root directory. That is why I use / as home directory.
# chown root.root /home/user # usermod -d / user # adduser user sftponly
This seems to work as expected :
$ sftp user@host Connecting to host... user@host's password: sftp> ls build cowbuildinall incoming johnbuilderclean sftp> pwd Remote working directory: / sftp> cd .. sftp> ls build cowbuildinall incoming johnbuilderclean
The only thing I miss is file transfers logging, but I did not investigate this at all. More on this whenever I find some time to do so.
References :
But I've learned not to trust anything posted on this day...
[ Parent | Reply to this comment ]
Note that OpenSSH 4.8 was an OpenBSD-only release shipped with the
OpenBSD 4.3 CD.
[ Parent | Reply to this comment ]
OpenSSH 4.9 is OUT!
[ Parent | Reply to this comment ]
Have I misread the manual? It struck me that ChrootDirectory subsequently applied to all users (including myself), which wouldn't work for me at all...
I can be contacted through the Web site above.
--
Minstrel
[ Parent | Reply to this comment ]
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
/* Textual representation of the tokens. */
static struct {
const char *name;
ServerOpCodes opcode;
u_int flags;
} keywords[] = {
// [...]
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
// [...]
}; HTH
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
With Jailkit you can also do a similar setup as above with cvs, rsync and scp.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
and have you seen OpenSSH 5.0/5.0p1 released Apr 3, 2008?
[ Parent | Reply to this comment ]
Just change
# chown root.root /home/userby
# chown root:root /home/userIt's now possible to have a dot in a username !
[ Parent | Reply to this comment ]
Can't wait to try it.
Brian Pence
Celestial Software
http://www.celestialsoftware.net
AbsoluteTelnet (for telnet and ssh)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]