OpenSSH sftp chroot jail installation and configuration

This article will show you how you install a sftp server for making secure data transfer possible.

Some time ago I read about a new version of OpenSSH which had build in support for change root jail in the sftp subsystem. So I had to build up the OpenSSH server from source because no one hat precompiled packages for it. For your information we are using Debian (Etch). Read forward in our documentation to find out how to build such a server.

Install the needed dependencies
apt-get install libssl-dev zlib1g-dev libpam0g-dev

Download the actual sources from openssh.com
wget http://openssh.linux-mirror.org/portable/openssh-5.1p1.tar.gz

Untar and configure the sources
tar -zxvf openssh-5.1p1.tar.gz cd openssh-5.1p1.tar.gz ./configure --with-pam #this is important for authentication!!! make make install

The make install command installs the binaries under /usr/local/sbin and the configuration files under /usr/local/etc. If you like to use other paths you have to difine them with the ./configure command.

You have to change/add the following configuration parameters
in /usr/local/etc/sshd_config UsePAM yes Subsystem      sftp    internal-sftp Match group sftponly ChrootDirectory /home/%u AllowTcpForwarding no ForceCommand internal-sftp

Add a user to your system
Place it into the usergroup "sftponly"

Change the owner from the homedirectory of the created user
chwon root.root /home/youruser

Start the new openssh daemon and have a lot of fun!
Don't forget to stop your "old" openssh-server. /usr/local/sbin/sshd -f /usr/local/etc/sshd_config