HOWTO: chroot SFTP (only) - Index

[Return to papers index]

Background

For a few years, I've been trying to find just the right way to safely offer SFTP file transfer to Web hosting customers. Since I used SSH (and SFTP) on the server for my own purposes, it was the obvious solution. I've never wanted to provide plain FTP access (which would conveniently provide a closed home area for them), as some customers have a habit of connecting from/across dodgy networks.

For a long time, I ran with OpenSSH with a patch to 'chroot' (jail) the users, but this is a pig to maintain - each time a new version of OpenSSH was released, I had to go and get the patched version, compile and install it, check all the libraries were still up-to-date in the users' home areas and make sure I hadn't made some configuration error somewhere. This solution still had one major flaw - users still had some shell access, albeit only within their area - this could (and did) lead to users messing up their own environment.

I finally found the right solution - at the time OpenSSH 4.4p1 was released, the chrootssh project disappeared from SourceForge for an extended period - I was forced to work things out myself instead of lazily using someone else's package. This gave me the opportunity to finally implement a working solution that reduces the amount of maintenance I have to do, and locks the users down even further - they can now only modify their own files.

I decided to publish this paper to help anyone that may have a similar scenario to mine:

  • You want to give file upload/download access to your users;
  • You don't want to give shell access to your users; and
  • You want to keep maintenance overhead to a minimum when upgrading OpenSSH.

This solution won't be appropriate, though, if:

  • Your users require any shell access; or
  • You want to enable SCP access rather than SFTP (there are similar solutions available for this, though).

The information I've pulled together here is available elsewhere on the Internet, but it took me quite a while to give the right incantations to Google, and then to put it all together, as it's pieced together from snippets in lots of different places, sometimes in unreadable English - hopefully this HOWTO will help others set up a similar environment.

I run Solaris on the server concerned, but I have had feedback to indicate these instructions will work in a very similar way for practically any *nix system.

What you will end up with after following this guide is:

  • The ability to provide SFTP access (only) to individual users;
  • The ability to completely restrict those users to their home directory; and
  • No necessity for libraries or other files in users' home areas.

Note: this setup might not withstand a robust privilege escalation attack, especially as the sftp-server installation runs suid, but I'm not sure how it would be done (if anyone can advise, I'd be interested to hear!). Please also see the FAQ for discussion around some potential issues.


I have now split the remainder of this page up so that you can select the specific solution that will work best for you: Security Notes and FAQ
[Please read before contacting me if you have any problems or questions]

Variant solutions and contributors:

German Translation by Christian Strässle
Using Solaris 10 Zones by Belur Krishnamurthy
Implementing on CentOS 4.4 by Adam Brakhane
Gentoo 'ebuild' version by Robert Piasek
'The Debian Way' by Mads Madsen

Comment from David in relation to OpenSSH 6.1

Your solution still works great for root-jailed sftp. Just compiled it into openssh 6.1 where the OS prevented the match settings from working. Only had to add a 4th argument of '0' (zero) on line 935 of sftp-server.c where ls_read() gets called. I have spent the last week messing with rssh, etc., I had used your solution clear back in 2008, forgot it, stumbled upon it and tried it again and voila!


PGP/GPG Public Key [4096/4096 RSA]
Contact The Minstrel
Google
Web The Minstrel's Showcase