chroot user to var/www/html

Question

Can I limit a user login through sftp only can see and change files under var/www/html folder?

I tried below, but then I can't login in Transmit through sftp

# adduser user_www

# passwd user_www

# vi /etc/ssh/sshd_config

// add in file end
Match User user_www
ChrootDirectory /var/www

# service sshd restart

/var/log/secure

Jul 13 11:29:23 li390-124 sshd[10269]: Accepted password for user_www from 106.65.234.106 port 19962 ssh2
Jul 13 11:29:23 li390-124 sshd[10269]: pam_unix(sshd:session): session opened for user user_www by (uid=0)
Jul 13 11:29:23 li390-124 sshd[10271]: subsystem request for sftp
Jul 13 11:29:23 li390-124 sshd[10271]: error: subsystem: cannot stat /usr/libexec/openssh/sftp-server: No such file or directory
Jul 13 11:29:23 li390-124 sshd[10271]: subsystem request for sftp failed, subsystem not found
Jul 13 11:29:23 li390-124 sshd[10269]: pam_unix(sshd:session): session closed for user user_www

So, what do the ssh logs say? /var/log/auth.log on Debian-derived machines (e.g., Ubuntu) /var/log/secure on RHEL/CentOS — cjc, Jul 13 '14 at 11:16

score 7 · Accepted Answer · answered Jul 13 '14 at 11:40

7

You need to add ForceCommand internal-sftp after Match User user_www line.

This forces OpenSSH to use its internal sftp implementation instead of trying to execute the external sftp-server command, which cannot be accessed from inside the chroot jail.

answered Jul 13 '14 at 11:40

Tero Kilkanen

36,796
3
41
63

Thanks for reply, before this, I tried comment this line `#Subsystem sftp /usr/libexec/openssh/sftp-server` and add `Subsystem sftp internal-sftp` before `Match User` and it works now. wondering is it different between this answer – user1775888 Jul 13 '14 at 11:56
1

I think these are about the same, however I think the `Subsystem` syntax was added later and is the recommended one to use. – Tero Kilkanen Jul 13 '14 at 15:02

chroot user to var/www/html

1 Answers1