Comments on Restricting Users To SFTP Plus Setting Up Chrooted SSH/SFTP (Debian Squeeze)

Hello Falko,

I actually have tried this script "make_chroot_jail.sh" and others (jailkit) to enable chroot ssh only recently before your post. I want to share something here. For "make_chroot_jail.sh" on Debian or Ubuntu, it won't work if you just get that script without any change.

1. You should see such error like:

 ./make_chroot_jail.sh: 428: cannot create : Directory nonexistent

 Please see here how to resolve it:

 http://ubuntuforums.org/showthread.php?t=881562

2. If your system has only few software installed (like my testing machine, nothing but only ssh server install), you will see error like missing "/lib/libcap.so.1" when you do:

make_chroot_jail.sh falko /bin/bash /home

Because the basic Debian install (v6.0.2) didn't have libcap.so.1 at all. You may need to do "apt-get install libcap-dev" to have it, and "ln -s /lib/libcap.so.2 /lib/libcap.so.1" to make it work.

3. After fixing above two, I can remote ssh login, however, that ssh session will be closed immediately once I login. From /var/log/auth.log, it looks like "pam_unix(sshd:session)". If I disable UsePAM in "/etc/ssh/sshd_config", I got "Accept password from user..", but nothing and my connection is still closed without any log or error. I am still working on this.......:-(

Anyway, just my 2 cents for those people following the post & get a quick answer

Hsinan

It works also on Squeeze. Just look inside the script and take the appropriate actions, as noted by the author. In some Debian-System (in example 64bit installations) you have to comment in on the end of the script, the two lines mentioned. I can proof that the script works fine here. 

That method kill the connection to my headless server and keep me bussy for half a day, till I recover the damage.

In sshd_config

Match group vhost
  PasswordAuthentication yes
  ChrootDirectory /home/%u
  ForceCommand internal-sftp
  AllowTCPForwarding no

Will chroot them to their home directory rather than /home.

sftp only.

Hi,

after i did this, than i unable to login to my SSH via PuTTY. Plz advise..

Hello,

I'm running Debian Squeeze (64bit),
in order to fix problem: './make_chroot_jail.sh: 428: cannot create : Directory nonexistent'

I had to change shell in file make_chroot_jail.sh:

from:
#!/bin/sh

to:
#!/bin/bash

Hello Falko,

I have tried your steps but it didn't worked out for me. I run a Debian 64-Bit Webserver with Virtualmin as control panel. I even installed libcap-dev and renamed #!/bin/sh to #!/bin/bash but it doesn't work. I tried it on exiting users and created new users as well. SSH works fine but the user can still access the root directory.

I have tried rbash for the users-accounts. It works great but the user can still list and view the files in the root folder. Is there any solution to offer full SSH-Access just for the user's home directory?

Thank you for the great Tutorial. It works except one thing:

does anyone have a solution for the last question? How can I deny the access for the chroot-user to / of the system? The user should stay in his chroot-area (/home/user) 

I like to do jail break/chroot to an AD user or group, does it possible in this way??

Hi, the script doesn't crate the new user in the specified "users" group, it creates the user in the same group name as the user is called .

for example :

User Jimmy

Group users

it creates user jimmy, group Jimmy

. 

How can I fix it ?

You can also try SFTPGo

https://github.com/drakkan/sftpgo

it has chroot support builtin, virtual quota, atomic uploads, bandwidth throttling and many other features.

It can execute configurable custom commands and/or send HTTP notifications on upload, download, delete or rename.

It is written in Go, so no runtime dependencies, and it works on Windows too

Hi,

I got it working, but I have a problem with mc (midnight commander) - the function keys and arrown keys don't work. I've tried many things but can't get it to work. Any ideas?

Thanks,

Michael.