The user will only be able to use SFTP and won’t have full shell access over SSH. They will be jailed to their home directory and will have no way of breaking out of it. From the user’s perspective, their home directory is / on the server .The user needs to be able to upload files to /var/www/mywebsite
Create a group in which we will assign any user that needs to be jailed to their home directory:
Create the user, the shell is set to /sbin/nologin to prevent ssh access.
mkdir -p /home/chroot/blake-jailed
useradd -d /home/chroot/blake-jailed -s /sbin/nologin -G sftponly blake-jailed
Comment out the below:
Subsystem sftp /usr/libexec/openssh/sftp-server
Add the below to the end of the file:
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory %h X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp
sshd -t # This tests the configuration
service ssh restart
chmod 711 /home/chroot
chmod 755 /home/chroot/blake-jailed
chown root:root /home/chroot/blake-jailed
Create the bind mounts, there can be multiple mounts created, for this example we’re only going to use one.
Add the mount to /etc/fstab to ensure it still exists if the server is rebooted.
echo '/var/www/mywebsite /home/chroot/blake-jailed/mywebsite none bind 0 0' >> /etc/fstab
Mount the directory:
Test the connection:
# sftp blake-jailed@localhost blake-jailed@localhost's password: Connected to localhost. sftp> pwd Remote working directory: / sftp> ls mywebsite sftp> cd mywebsite sftp> ls -1 index.php license.txt readme.html test test.txt wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php sftp> put test.txt Uploading test.txt to /mywebsite/test.txt test.txt 100% 5 0.0KB/s 00:00 sftp> get license.txt Fetching /mywebsite/license.txt to license.txt /mywebsite/license.txt 100% 19KB 19.5KB/s 00:00 sftp> exit
If you are unable to connect then you may want to check the logs in