4

I am running Amazon Linux AMI (Red Hat derivative), and am creating a new SFTP server using OpenSSH. I would like for the SFTP user to be restricted to a directory, and to be able to write to the initial directory that is shown by their SFTP client.

I am using ChrootDirectory to chroot the user to /home/customers/srgcompany. That means that this directory has to be owned by root and only writable by root. The user's passwd entry looks like fflintstone:x:508:515:Fred Flintstone:/home/fflintstone:/sbin/nologin. I have placed the user's public key in /home/fflintstone/.ssh/authorized_keys. I've created a folder that the user's group (srgcompany) has read/write/execute/sgid permission on at /home/customers/srgcompany/fileshere. I've configured OpenSSH's SFTP with Subsystem sftp internal-sftp -u 0007 -l INFO.

So right now, when the user uses an SFTP client to connect, the directory that gets shown (and is returned by the pwd command) cannot be written to. The user can cd to the fileshere folder, and write there. Is there any way to make that fileshere folder be the initial remote working directory as soon as the user SFTP's in, like in the example below? Or, can I make the chrooted folder be writeable?

What I want:

$ sftp sftpserver.sssprockets.com
Connected to sftpserver.sssprockets.com.
sftp> pwd
Remote working directory: /fileshere

Any help is much appreciated.

pgn674
  • 61
  • 1
  • 1
  • 3

1 Answers1

4

When not using chroot or internal-sftp, the OpenSSH package uses a program named sftp-server to handle incoming SFTP sessions. The documentation for sftp-server lists a command-line option for the starting directory:

-d start_directory
specifies an alternate starting directory for users. The pathname may contain the following tokens that are expanded at runtime: %% is replaced by a literal '%', %d is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. The default is to use the user's home directory. This option is useful in conjunction with the sshd_config(5) ChrootDirectory option.

That documentation also applies to the internal-sftp subsystem, so you can also use this option with that. Note that you should specify the starting directory relative to the chroot, not the system's actual root:

Subsystem sftp internal-sftp -u 0007 -l INFO -d /fileshere
Kenster
  • 2,152
  • 16
  • 16