All Linux HowTo's Security HowTo's

Chrooting SCP with SELinux Enabled on Redhat/CentOS

This article demonstrates how to Chroot users for SSH file copies (SCP and RSYNC) on a CentOS or Redhat server. The same process can be used for SSH logins but there needs to be some dependancies in place for that. Try the following site for more details on those dependancies “”.

Install SSH (old versions don’t support chroot so make sure you’ve got a recent version):

yum install openssh-server

Add the following to the bottom of your “/etc/ssh/sshd_config” file:

Subsystem     sftp   internal-sftp
Match Group sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

The above chroots all users in the “sftp” group. So simply create that group and then add all those who need to be chrooted to that group.

Create the group:

groupadd sftp

Add users to that group. In this example I’m adding the user “testuser1”. Make sure to set a password for that user.

useradd testuser1 -G sftp
passwd testuser1

We need to set permissions and ownership a little strangely. We need to make the users (testuser1) home directory owned by root with permissions of “755”. Then we make a directory within the users home directory (called “dropbox” in this example) that the user can put files and directories into:

mkdir /home/testuser1/dropbox
chown root.root /home/testuser1
chmod 755 /home/testuser1

Enable Chrooting in SELinux:

getsebool -P ssh_chroot_rw_homedirs on

Restart SSHd. Tip, when restarting SSHd (the SSH service) make sure you keep a session open just incase you lock yourself out.

service sshd restart

You should be able to test it with FileZilla and/or RYSNC. You can’t put anything into the root of the users home directory “/home/testuser1” but you can into the “dropbox” directory.

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *