Setting up chrooted sftp only account using scponly

8:19 PM

What is scponly?

Scponly is a limited shell for allowing users to  scp/sftp to a linux box. Addtionally, we can setup scponly to chroot the user into a particular directory increasing the level of security. 

How to install and set up a new chrooted sftp account using scponly?

  • Download scponly pacakge from sourceforge:
wget http://sourceforge.net/projects/scponly/files/latest/download?source=files
  • Untar and cd to it.
tar zxvf scponly-20110526.tgz ; cd scponly-20110526
  • Do a configure making use of chrooted binary so that user is chrooted to home directory
./configure --enable-chrooted-binary
Then run a "make" and "make install" for completing the install of binary "/usr/local/sbin/scponlyc"
  • Add the entry to /usr/local/sbin/scponlyc to /etc/shells.
  • Let's create a new user jake (Ensure that user "jake" do not exist) using following command:
"make jail"
It will promtpt for username and password. Enter username as "jake" and password of your choice.
It creates user, sets shell to /usr/local/sbin/scponlyc and copies relevant system files to
/home/jake/ to ensure user is chrooted.
  • Also create a folder "dev"  under /home/jake and and copy /dev/null as that is required for sftp to work.
mkdir /home/jake/dev
cp -a /dev/null and /home/jake/dev/

  • Jake's upload directory is /home/jake/incoming.
In case, jake do not intend to upload to /home/jake/incoming, but instead to another location, say /usr/local/website/www_jake_com, then we can do mount mind
as shown below:
mount --bind /usr/local/website/www_jake_com /home/jake/incoming
Test it out to confirm if chrooted sftp works for jake as expected.

Share This Story

Tags:

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor Aenean massa.

You Might Also Like

0 comments

Contact Form

Name

Email *

Message *

Translate

Wikipedia

Search results