Configuring OpenSSH to restrict certain users to SFTP access only, within a chroot environment.
Create a Group for SFTP Only Users:
groupadd sftp_users
Configure SSH for SFTP and Chroot:
Edit the SSH configuration to set up a chroot environment and enable SFTP only for the specified group.
vi /etc/ssh/sshd_config
# Comment out the existing SFTP line and add a new one
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# Add configuration for the sftp_users group at the end of the file
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp
Restart SSH Service:
systemctl restart sshd
Assign User to SFTP Only Group:
For example, to set the user 'cent' as an SFTP only user:
usermod -aG sftp_users cent
Test SSH Connection:
Verify that the user can only connect via SFTP and is restricted to the chroot directory.
ssh user@server
# Expect a denial message for SSH access
sftp user@server
# Verify that SFTP connection is successful and user is in chroot
Example:
ssh dlp.emc.world
# Expected: Connection denied for normal SSH
sftp dlp.emc.world
# Expected: SFTP connection should be successful