This article demonstrates how to Chroot users for SSH file copies (SCP and RSYNC) on a CentOS or Redhat server. The same process can be used for SSH logins but there needs to be some dependancies in place for that. Try the following site for more details on those dependancies “http://www.techrepublic.com/blog/linux-and-open-source/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/”.
Install SSH (old versions don’t support chroot so make sure you’ve got a recent version):
yum install openssh-server
Add the following to the bottom of your “/etc/ssh/sshd_config” file:
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
The above chroots all users in the “sftp” group. So simply create that group and then add all those who need to be chrooted to that group.
Create the group:
groupadd sftp
Add users to that group. In this example I’m adding the user “testuser1”. Make sure to set a password for that user.
useradd testuser1 -G sftp passwd testuser1
We need to set permissions and ownership a little strangely. We need to make the users (testuser1) home directory owned by root with permissions of “755”. Then we make a directory within the users home directory (called “dropbox” in this example) that the user can put files and directories into:
mkdir /home/testuser1/dropbox chown root.root /home/testuser1 chmod 755 /home/testuser1
Enable Chrooting in SELinux:
setsebool -P ssh_chroot_rw_homedirs on
Restart SSHd. Tip, when restarting SSHd (the SSH service) make sure you keep a session open just incase you lock yourself out.
service sshd restart
You should be able to test it with FileZilla and/or RYSNC. You can’t put anything into the root of the users home directory “/home/testuser1” but you can into the “dropbox” directory.
