Jump to content
Froxlor Forum
  • 0

How to SFTP with chroot jail with proftpd


Question

i have managed to setup froxlor with working FTP and SFTP in parallel.

My /etc/proftpd/sftp.conf 

<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0 fe80::1>
    SFTPEngine on
    SFTPLog /var/log/proftpd/sftp.log
    SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    Port 2222
    AllowOverwrite on
    DefaultRoot /var/customers/webs
</VirtualHost>
</IfModule>

my /etc/ssh/sshd_config contains

# override default of no subsystems - chagned by tg
# Subsystem     sftp    /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match User testkunde2
    ChrootDirectory /var/customers/webs
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

 

This is working ritght now. User testkunde2 is jailed in /var/customers/webs

 

But what i need is a multi user solution.

Question 1: how i could express the match expression for all froxlor users?

I´ve tried 

Match Group www-data
    ChrootDirectory /var/customers/webs
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

which don´t match for any reason. As result user is not jailed in any way and have reading root dir access.

User looks like 

getent passwd testkunde2
testkunde2:x:10001:10001:th gr:/var/customers/webs/testkunde2/:/bin/sh

 

Question 2: chroot is only working if dir is owned by root but froxlor home dirs are owned by user. How could this be managed?

This is a question about my personal understanding from froxlor / ssh / sftp. Froxlor home dirs are owned by it´s users. Is there any solution to integrate SFTP user jails for the homedirs of the users?

 

Thank´s to all in advance!

 

 

Link to post
Share on other sites

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Similar Content

    • By naytsyrhc
      Hi there,
       
      just wanted to share some information about setting up proftpd as sftp server with froxlor users.
       
      I searched for this solution but couldn't find anything that suited my needs.
       
      So, what I wanted to achieve was the following:
      Using Froxlor FTP-Account management No SSH Access for FTP-Users Chroot for FTP-Users No FTP Protocol  (to avoid Firewall-Config-Nightmares) No interference with standard ssh access The setup was quite easy/straight-forward:
       
      1st edit /etc/proftpd/modules.conf and add following line:
      LoadModule mod_sftp.c  2nd edit /etc/proftpd/sql.conf and add following line:
      Include /etc/proftpd/sftp.conf 3rd create file /etc/proftpd/sftp.conf with following content:
      <IfModule mod_sftp.c> SFTPEngine on SFTPLog /var/log/proftpd/sftp.log SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPHostKey /etc/ssh/ssh_host_rsa_key </IfModule> 4th restart proftpd:
      service proftpd restart Now your users are able to login to SFTP using standard FTP Port 21 (and you only need to open that port in your firewall), SSH File Transfer Protocol and will only be able to write to the FTP-Directory (i.e. customers home).
       
      Hope this helps someone.
×
×
  • Create New...