Centos 7 - SFTP, RSA-KEY and Chroot

hero_xh · 03-30-2016, 10:14 AM

Hi there,

I wish to set up a server as SFTP using RSA-KEY and Chroot.

My "/etc/ssh/sshd_config" file has the following configuration:

Quote:

Match Group sftp_group
X11Forwarding no
AllowTCPForwarding no
ChrootDirectory /var/www/html/XXX
ForceCommand internal-sftp

it is not working but if I modify the above for that it works:

Quote:

Match Group sftp_group
X11Forwarding no
AllowTCPForwarding no
ChrootDirectory /home
ForceCommand internal-sftp

So, my configuration is fine less this, it seems that if I change the ChrootDirectory for another different directory than /home doesn't work.

The user who try to sftp to /var/www/html/XXX has the right permission on /var/www/html/XXX.

Any suggestion?

Thanks

wpeckham · 04-01-2016, 07:20 AM

There are requirements for the ownership and permissions on the chroot home, AND THE FOLDER ABOVE IT, that need to be either met or explicitly disabled. I recommend meeting them, as there is no purpose in securing something and then adding a vulnerability for no reason.

I have set up chroot before using recent versions of OpenSSH, and have always been able to make it work. It IS picky, but then it is security software and SHOULD be!

hero_xh · 04-05-2016, 07:27 AM

Thanks for you answer!

I couldn't understand you really well to be honest...How can I enable the chroot for /var/www/html/XXX? it will be a risk although ....I would like to know how do it and afterwards choose :-)

Thanks!