We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How to use SFTP Chroot plugin?
How to use SFTP Chroot plugin?
Hi,
I bought the SFTP Chroot plugin and already activate its license on the VestaCP control panel. But after activation is made I don't see any change on the panel.
Can anyone please provide me with documentation and/or steps on how to start using it?
Thanks
I bought the SFTP Chroot plugin and already activate its license on the VestaCP control panel. But after activation is made I don't see any change on the panel.
Can anyone please provide me with documentation and/or steps on how to start using it?
Thanks
Re: How to use SFTP Chroot plugin?
Hello,
SFTP plugin doesn't visualise anything and some users say: why I need this stuff? Let me explain a little how it suppose to work:
- without SFTP Chroot Plugin user that have nologin shell can't use SFTP
- without SFTP Chroot Plugin user that have rssh shell user can use SFTP but he also can navigate file system beyond home his directory
- with SFTP Choot Plugin user that have nologin shell can use SFTP and can't navigate root file system he will be locked to his home
- with or without SFTP Chroot users that have bash as system shell can navigate root file system beyond home directory
The main purpose is to keep the user in the home directory.
SFTP plugin doesn't visualise anything and some users say: why I need this stuff? Let me explain a little how it suppose to work:
- without SFTP Chroot Plugin user that have nologin shell can't use SFTP
- without SFTP Chroot Plugin user that have rssh shell user can use SFTP but he also can navigate file system beyond home his directory
- with SFTP Choot Plugin user that have nologin shell can use SFTP and can't navigate root file system he will be locked to his home
- with or without SFTP Chroot users that have bash as system shell can navigate root file system beyond home directory
The main purpose is to keep the user in the home directory.
Re: How to use SFTP Chroot plugin?
but after I activate and select SSH Access nologin on me try ssh can not enter the system, is there any documentation how to use SFTP Choot?
-
- Posts: 6
- Joined: Sat Jun 23, 2018 11:00 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: How to use SFTP Chroot plugin?
My experience with the sftp chroot plugin is that the user is being in fact redirected to his home directory when accessing the system via sftp. Further access via ssh is being blocked.
That's about it with the good news. The user can simple enter the command "cd /" to access the root folder and from there see the rest of the system. The chroot jail is not working.
I am using Red Hat 7.5 clone (Scientific Linux). Services are only nginx without php. So this is what I did. Please notice that only user "admin" can access the system via ssh. All other users are restricted to sftp. I have root logins are disabled by default.
Add in /etc/ssh/sshd_config
Further ensure that /home/user and /home/user/web belong to root with appropriate rights. For that we edit /usr/local/vesta/bin/v-add-user and add the three lines as indicated:
Changing c-add-user is tricky since it can be overwritten anytime by a vestacp update. Enjoy!
That's about it with the good news. The user can simple enter the command "cd /" to access the root folder and from there see the rest of the system. The chroot jail is not working.
I am using Red Hat 7.5 clone (Scientific Linux). Services are only nginx without php. So this is what I did. Please notice that only user "admin" can access the system via ssh. All other users are restricted to sftp. I have root logins are disabled by default.
Add in /etc/ssh/sshd_config
Code: Select all
Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory %h/web
DisableForwarding yes
AllowTCPForwarding no
X11Forwarding no
Match User admin
X11Forwarding yes
PermitTTY yes
PasswordAuthentication yes
ChrootDirectory none
PermitTunnel yes
AllowAgentForwarding yes
AllowTcpForwarding yes
X11Forwarding yes
ForceCommand none
AllowStreamLocalForwarding yes
DisableForwarding no
Code: Select all
# Building directory tree
mkdir $HOMEDIR/$user/conf
if [ ! -z "$WEB_SYSTEM" ]; then
mkdir $HOMEDIR/$user/conf/web $HOMEDIR/$user/web $HOMEDIR/$user/tmp
chmod 751 $HOMEDIR/$user/conf/web.
chmod 700 $HOMEDIR/$user/tmp
chown $user:$user $HOMEDIR/$user/web $HOMEDIR/$user/tmp
chown root:root $HOMEDIR/$user <------------ add this line
chown root:root $HOMEDIR/$user/web <------------ add this line
chmod 755 $HOMEDIR/$user/web <------------ add this line
fi