Creating SFTP users and jailing to chroot on CentOS - user authentication error
Solution 1:
It's a common pitfall:
All folders up to the chroot home must be owned and only writable by root
user.
The folders cannot be group writable - even if the group is root
.
Solution 2:
I found and successfully configured sftp on CentOS 6.5: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
Edit sshd config:
vim /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server (comment out the default with "#")
add:
Subsystem sftp internal-sftp
Match Group sftp-only
ChrootDirectory /var/www/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Exit and save.
Then:
mkdir /etc/skel2
groupadd sftp-only
getent group |grep sftp-only (take note the GID (Group ID). Here, in my example it's 500)
For a new user named "testuser" (member of the sftp-only group with GID 500):
useradd --base-dir /var/www --gid 500 --skel /etc/skel2 --create-home --shell /sbin/nologin testuser
(i use empty /etc/skel2 so no .bashrc etc is copied by default by CentOS)
mkdir -p /var/www/testuser/home/testuser
chown root:sftp-only /var/www/testuser
chmod 750 /var/www/testuser
chown root:root /var/www/testuser/home
chmod 755 /var/www/testuser/home
chown testuser:sftp-only /var/www/testuser/home/testuser
chmod 770 /var/www/testuser/home/testuser
So in this example, i made it to give secure access to external consulting firms that manage websites. You could after creating all this do:
mkdir /var/www/testuser/home/testuser/www.somesite.com
chown testuser:apache /var/www/testuser/home/testuser/www.somesite.com
chmod xxx (permissions to the website as needed, usually 750 so apache would get read access)
One could fine tune all this as needed.
Hope this helped!
Guy Boisvert IngTegration inc. http://www.ingtegration.com