sftp chroot

Restricting sftp user access


on the NFS server
- create the group and note the group id
- own the files recursivly by the group
- own the top by root (or chroot later on won't work)
- change the NFS export if you are using anonymous binds, so the guid matches and rexport

on the sftp server
- create the user and group as above, it doesn't need to match the NFS server if anonymous binding
- edit the ssh config to use built-in sftp and chroot, and match the group

ForceCommand internal-sftp
ChrootDirectory /home/exchangefiles
Match Group media
        ForceCommand internal-sftp
       ChrootDirectory /srv/media

- add some other security mesures as appropriate

# Disable network tunneling
PermitTunnel no
# Disable authentication agent forwarding.
AllowAgentForwarding no
# Disable TCP connection forwarding.
AllowTcpForwarding no
# Disable X11 remote desktop forwarding.
X11Forwarding no





Comments