I just created a new user friend on my server, the goal is to give SFTP access to a friend of mine, so that he can host his website there.
I noticed that when connecting the server by SFTP with user friend, the default folder is /home/friend/, but you can easily go out of /home/friend/ and visit all files in read access on the server, such as /home/anotheruser/website2/config.php! I don't want this.
I was told to put this user in "jailed / isolated mode", so, at the end of my default sshd_config:
...
Subsystem sftp /usr/lib/openssh/sftp-server
… I added this:
Match User friend
ChrootDirectory /home/friend
ForceCommand internal-sftp
and did service sshd restart.
Then I could not connect anymore the server at all by SFTP with user friend, oops! I also tried by replacing Subsystem ... by Subsystem sftp internal-sftp but the result was the same: friend cannot connect the server anymore via SFTP.
Question:
How to to isolate user friend so that he cannot go out of his home /home/friend/ via SFTP/SSH?
Note: I already read How to Restrict SFTP Users to Home Directories Using chroot Jail, How can I chroot sftp-only SSH users into their homes?
, etc.
Best Answer
Not sure what OS you are using but I use the link below when I have to configure jailed SFTP users. It is a really good tutorial on how to configure a jailed SFTP user.
https://access.redhat.com/solutions/2399571
I would then mount bind whichever directory to the chroot directory you want to give your friend access to.