Chrooted SFTP (RHEL 5)

Posted on Sun 13 February 2011 by Pavlo Khmel

On RHEL 5 with default installed openssh chroot will not allow to login via ssh. (Solution: run separate sshd on another port).
To use sftp and ssh on the same port is supported in RHEL 6.
For RHEL 5 we should use not-supported version of openssh.

Latest version: for today is OpenSSH 5.8/5.8p1.

Download openssh-5.8p1.tar.gz
Installing packages needed for compilation:

yum install gcc zlib-devel openssl-devel
tar -xvzf openssh-5.8p1.tar.gz
cd openssh-5.8p1
./configure --prefix=/opt/openssh-5.8p1
make install
# Autostart configuration:
cp /etc/init.d/sshd /etc/init.d/sshd_orig

Update /etc/init.d/sshd with new paths

# Some functions to make the below more readable

Add and change in /opt/openssh-5.8p1/etc/sshd_config:

# override default of no subsystems
#Subsystem sftp /opt/openssh-5.8p1/libexec/sftp-server
Subsystem sftp internal-sftp

Match group sftponly
     ChrootDirectory /test
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp

Match group group1
     # Set umask "-u"
     ForceCommand internal-sftp -u 0027
     ChrootDirectory /test1

Match group group2
     ForceCommand internal-sftp -u 0007
     # Set username "%u" or home directory "%h"
     ChrootDirectory /test1/%u

Restart sshd:

service sshd restart

Manual start of new sshd:


Adding sftp user
The directory /test must be owned by root.

groupadd sftponly
useradd phn -g sftponly
passwd phn
chown root:sftponly /test
chmod 750 /test

Public keys for sftp users should be located in default place: /home/[user name]/.ssh/authorized_keys
But user should have any password, to have access via public key.
If you want to have chrooted directory on different directory levels with different users. Directory owner should be user "root", group can be different.