By default if you do service ssh start you can access the Linux system remotely using sftp or ssh. Supposed you want to restrict non-root users to /home/sftp through sftp you can do the following:
First you can check if there is a group for sftp:
cat /etc/group |grep sftp
If nothing is shown then sftp group is non-existent. Create a group sftp:
root@bt:~# addgroup sftp
Adding group `sftp’ (GID 1001) …
Done.
root@bt:~# cat /etc/group |grep sftp
sftp:x:1001:
The next is to create user and attached them to group sftp.
root@bt:~#
root@bt:~# adduser –home /home/sftp sftpuser
Adding user `sftpuser’ …
Adding new group `sftpuser’ (1002) …
Adding new user `sftpuser’ (1001) with group `sftpuser’ …
Creating home directory `/home/sftpuser’ …
Copying files from `/etc/skel’ …
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sftpuser
Enter the new value, or press ENTER for the default
Full Name []: SFTP user
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
root@bt:~# adduser sftpuser sftp
Adding user `sftpuser’ to group `sftp’ …
Adding user sftpuser to group sftp
Done.
Edit the sshd config file in /etc/ssh/sshd_config:
Look for key word Subsystem, you will find a default clause that looks like this:
Subsystem sftp /usr/lib/openssh/sftp-server
Changed to this:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Scroll down until the end of file and add these:
Match group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Save the config file and exit.
This is to change /home/sftpuser directory to a root directory when sftpuser logs in, this is to jail sftpuser only to /home/sftpuser and no where else.
chown root:root /home/sftpuser
usermod -d / sftpuser
Originally I made sftpuser to be in /home/sftpuser but I failed to jail it, sftp user can break out of /home/sftpuser and go anywhere within the system. Now I shall test the jailing by sftping to my localhost.
root@bt:~# sftp sftpuser@localhost
Connecting to localhost…
sftpuser@localhost’s password:
sftp> ls
sftp> pwd
Remote working directory: /
sftp>
sftp> cd ../../../
sftp> pwd
Remote working directory: /
sftp> ls
sftp>
Reference: www.debian-administration.org/articles/590
cyruslab 