Ssh – How to restrict ssh users to browse only /home/%u contents

Can I confine my users to their /home/%u directory using only OpenSSH configuration? From instructions I found on the Internet, I stopped the SSH server and appended the following to the sshd_config file:

Match group sftpusers
    ChrootDirectory /home/%u
    X11Forwarding no
    AllowTcpForwarding no

I then started the SSH server again.

FYI I have the users added to sftpusers group

My users can still browse i.e cd / and are able to use cat command to list file content (cat /usr/bin/test.sh) in entire file structure on my system

I'm running Ubuntu Server 12.04 LTS.

Best Answer

First of all, I would suggest using ChrootDirectory %h instead of /home/%u, as %h expands to the user's home, even if it's no /home/$USER.

Now to your actual problem: you need to force internal-sftp as the command to be run. The following config works just fine for me, and should also for you:

Match group sftp
    ForceCommand internal-sftp
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no

The user's home should be root-owned and have 755 permisions as mentioned above:

drwxr-xr-x 22 root root 4.0K Nov 24  2011 /home/testuser

Best Answer

Related Solutions

Related Question