How to use SFTP Chroot plugin?

nqserv · Post by **nqserv** » Sun Feb 25, 2018 4:30 pm

Hi,

I bought the SFTP Chroot plugin and already activate its license on the VestaCP control panel. But after activation is made I don't see any change on the panel.

Can anyone please provide me with documentation and/or steps on how to start using it?

Thanks

Post by **skurudo** » Wed Feb 28, 2018 8:24 am

Hello,

SFTP plugin doesn't visualise anything and some users say: why I need this stuff? Let me explain a little how it suppose to work:
- without SFTP Chroot Plugin user that have nologin shell can't use SFTP
- without SFTP Chroot Plugin user that have rssh shell user can use SFTP but he also can navigate file system beyond home his directory
- with SFTP Choot Plugin user that have nologin shell can use SFTP and can't navigate root file system he will be locked to his home
- with or without SFTP Chroot users that have bash as system shell can navigate root file system beyond home directory

The main purpose is to keep the user in the home directory.

mimin · Post by **mimin** » Wed May 09, 2018 9:40 am

but after I activate and select SSH Access nologin on me try ssh can not enter the system, is there any documentation how to use SFTP Choot?

pozzo-balbi · Post by **pozzo-balbi** » Sat Jun 30, 2018 3:38 am

My experience with the sftp chroot plugin is that the user is being in fact redirected to his home directory when accessing the system via sftp. Further access via ssh is being blocked.

That's about it with the good news. The user can simple enter the command "cd /" to access the root folder and from there see the rest of the system. The chroot jail is not working.

I am using Red Hat 7.5 clone (Scientific Linux). Services are only nginx without php. So this is what I did. Please notice that only user "admin" can access the system via ssh. All other users are restricted to sftp. I have root logins are disabled by default.

Add in /etc/ssh/sshd_config

Code: Select all

Subsystem       sftp    internal-sftp
    ForceCommand internal-sftp
    ChrootDirectory %h/web
    DisableForwarding yes
    AllowTCPForwarding no
    X11Forwarding no

Match User admin
    X11Forwarding yes
    PermitTTY yes
    PasswordAuthentication yes
    ChrootDirectory none
    PermitTunnel yes
    AllowAgentForwarding yes
    AllowTcpForwarding yes
    X11Forwarding yes
    ForceCommand none
    AllowStreamLocalForwarding yes
    DisableForwarding no

Further ensure that /home/user and /home/user/web belong to root with appropriate rights. For that we edit /usr/local/vesta/bin/v-add-user and add the three lines as indicated:

Code: Select all

# Building directory tree
mkdir $HOMEDIR/$user/conf

if [ ! -z "$WEB_SYSTEM" ]; then
    mkdir $HOMEDIR/$user/conf/web $HOMEDIR/$user/web $HOMEDIR/$user/tmp
    chmod 751 $HOMEDIR/$user/conf/web.
    chmod 700 $HOMEDIR/$user/tmp
    chown $user:$user $HOMEDIR/$user/web $HOMEDIR/$user/tmp
  chown root:root $HOMEDIR/$user       <------------ add this line
  chown root:root $HOMEDIR/$user/web       <------------ add this line
  chmod 755 $HOMEDIR/$user/web       <------------ add this line
fi

Changing c-add-user is tricky since it can be overwritten anytime by a vestacp update. Enjoy!

Vesta Control Panel - Forum