This week I had a client come to me and ask whether I could set up ‘an FTP account for a third party provider’. They have a piece of really old legacy Software and wanted this person to look into it.
After looking around a little, I found that you can actually really easily create
chroot jails for SFTP users specifically.
I immediately felt better about it, because setting up unsecured and unencrypted FTP servers kinda freaks me out in 2020.
In our case, we don’t need the user to actually have shell access. So I set up a user with a command like this:
# useradd -gsftp -d / -s /sbin/nologin sftpguest # mkdir -p /sftp/sftpguest/uploads # chown sftpguest: /sftp/sftpguest/uploads
Then we just add these three lines to our
Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp
After reloading the
ssh service, you should be good to go.
Adding external directories to your jail
In our case, we wanted our user to be able to inspect and suggest changes to a folder withing
/var/www to do so we just mounted the directory like this
# mkdir /sftp/sftpguest/project # mount --bind /var/www/old-website /sftp/sftpguest/project
And we’re ready to go. You may need to remember to give the user permissions to read and or write to the