Page 1 of 1
How to use SFTP Chroot plugin?
Posted: Sun Feb 25, 2018 4:30 pm
by nqserv
Hi,
I bought the SFTP Chroot plugin and already activate its license on the VestaCP control panel. But after activation is made I don't see any change on the panel.
Can anyone please provide me with documentation and/or steps on how to start using it?
Thanks
Re: How to use SFTP Chroot plugin?
Posted: Wed Feb 28, 2018 8:24 am
by skurudo
Hello,
SFTP plugin doesn't visualise anything and some users say: why I need this stuff? Let me explain a little how it suppose to work:
- without SFTP Chroot Plugin user that have nologin shell can't use SFTP
- without SFTP Chroot Plugin user that have rssh shell user can use SFTP but he also can navigate file system beyond home his directory
- with SFTP Choot Plugin user that have nologin shell can use SFTP and can't navigate root file system he will be locked to his home
- with or without SFTP Chroot users that have bash as system shell can navigate root file system beyond home directory
The main purpose is to keep the user in the home directory.
Re: How to use SFTP Chroot plugin?
Posted: Wed May 09, 2018 9:40 am
by mimin
but after I activate and select SSH Access nologin on me try ssh can not enter the system, is there any documentation how to use SFTP Choot?
Re: How to use SFTP Chroot plugin?
Posted: Sat Jun 30, 2018 3:38 am
by pozzo-balbi
My experience with the sftp chroot plugin is that the user is being in fact redirected to his home directory when accessing the system via sftp. Further access via ssh is being blocked.
That's about it with the good news. The user can simple enter the command "cd /" to access the root folder and from there see the rest of the system. The chroot jail is not working.
I am using Red Hat 7.5 clone (Scientific Linux). Services are only nginx without php. So this is what I did. Please notice that only user "admin" can access the system via ssh. All other users are restricted to sftp. I have root logins are disabled by default.
Add in /etc/ssh/sshd_config
Code: Select all
Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory %h/web
DisableForwarding yes
AllowTCPForwarding no
X11Forwarding no
Match User admin
X11Forwarding yes
PermitTTY yes
PasswordAuthentication yes
ChrootDirectory none
PermitTunnel yes
AllowAgentForwarding yes
AllowTcpForwarding yes
X11Forwarding yes
ForceCommand none
AllowStreamLocalForwarding yes
DisableForwarding no
Further ensure that /home/user and /home/user/web belong to root with appropriate rights. For that we edit /usr/local/vesta/bin/v-add-user and add the three lines as indicated:
Code: Select all
# Building directory tree
mkdir $HOMEDIR/$user/conf
if [ ! -z "$WEB_SYSTEM" ]; then
mkdir $HOMEDIR/$user/conf/web $HOMEDIR/$user/web $HOMEDIR/$user/tmp
chmod 751 $HOMEDIR/$user/conf/web.
chmod 700 $HOMEDIR/$user/tmp
chown $user:$user $HOMEDIR/$user/web $HOMEDIR/$user/tmp
chown root:root $HOMEDIR/$user <------------ add this line
chown root:root $HOMEDIR/$user/web <------------ add this line
chmod 755 $HOMEDIR/$user/web <------------ add this line
fi
Changing c-add-user is tricky since it can be overwritten anytime by a vestacp update. Enjoy!