I just created a new user friend
on my server, the goal is to give SFTP access to a friend of mine, so that he can host his website there.
I noticed that when connecting the server by SFTP with user friend
, the default folder is /home/friend/
, but you can easily go out of /home/friend/
and visit all files in read access on the server, such as /home/anotheruser/website2/config.php
! I don't want this.
I was told to put this user in "jailed / isolated mode", so, at the end of my default sshd_config
:
...
Subsystem sftp /usr/lib/openssh/sftp-server
… I added this:
Match User friend
ChrootDirectory /home/friend
ForceCommand internal-sftp
and did service sshd restart
.
Then I could not connect anymore the server at all by SFTP with user friend
, oops! I also tried by replacing Subsystem ...
by Subsystem sftp internal-sftp
but the result was the same: friend
cannot connect the server anymore via SFTP.
Question:
How to to isolate user friend
so that he cannot go out of his home /home/friend/
via SFTP/SSH?
Note: I already read How to Restrict SFTP Users to Home Directories Using chroot Jail, How can I chroot sftp-only SSH users into their homes?
, etc.
Best Answer
Not sure what OS you are using but I use the link below when I have to configure jailed SFTP users. It is a really good tutorial on how to configure a jailed SFTP user.
https://access.redhat.com/solutions/2399571
I would then mount bind whichever directory to the chroot directory you want to give your friend access to.