Jailed SFTP Users With CentOS

Offering SFTP-only jailed user accounts is useful in many scenarios such as shared web hosts, storage space for friends, etc.

This tutorial is specific to CentOS 5.4 x86 64-bit. Other flavors will vary.

** Make sure you are root or using Sudo

1. Upgrade to OpenSSH 5.x

## fetch the packages
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-5.1p1-3.el5.hrb.x86_64.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-clients-5.1p1-3.el5.hrb.x86_64.rpm
wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-server-5.1p1-3.el5.hrb.x86_64.rpm

## upgrade OpenSSH


rpm -Uvh openssh-* 

2. Comment out the following line in ‘/etc/ssh/sshd_config’

Subsystem     sftp     /usr/libexec/openssh/sftp-server

3. Append these lines to the end of ‘/etc/ssh/sshd_config’

Subsystem     sftp     internal-sftp
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no

4. Add the ‘sftponly’ user group

groupadd sftponly

5. Modify the user’s group and shell

(I’ll use the completely random username: bree_olson)

usermod -g sftponly bree_olson
usermod -s /bin/false bree_olson

6. Set the proper filesystem permissions

(Bree’s home directory is /home/bree_olson and her website is in /home/bree_olson/public_html)

chmod 755 /home/bree_olson/
chmod 755 /home/bree_olson
chown root:root /home/bree_olson
chown bree_olson:sftponly /home/bree_olson/public_html

7. Restart the SSHD daemon

/etc/init.d/sshd restart


And that is it! Just be sure to repeat steps 5 and 6 for all the pornstars users that you wish to lockdown.