On Mon, Apr 15, 2013 at 11:25 PM, f5b <f...@163.com> wrote:
> server
> kern.version=OpenBSD 5.3-current (GENERIC.MP) #71: Sat Apr 13 17:21:57
> MDT 2013
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> /etc/ssh/sshd_config
> only add after last line
>
> Match Group share
> ForceCommand internal-sftp
> ChrootDirectory /home/chroot/
>
> # sshd -t ##ok
>
> # mkdir /home/chroot/
>
> # adduser share
>
> frome other machine,
> the user share can not sftp to the server,
> but same config in Mar 1 snapshot, sftp is ok.
>
>
1) Add user. Make sure home directory is owned by root:wheel. My example
uses "anonftp" and the home directory is "/home/anonftp"
# grep anonftp /etc/passwd
anonftp:*:1004:10::/home/anonftp:/usr/bin/false
# ls -ld /home/anonftp
drwxr-xr-x 4 root wheel 512 Aug 22 2012 /home/anonftp
2) Make chroot home directory, and give it appropriate ownership and
permissions to your needs:
# ls -ld /home/anonftp/home
drwxr-xr-x 3 root users 512 Aug 22 2012 /home/anonftp/home
# ls -ld /home/anonftp/home/anonftp
drwxr-xr-x 2 anonftp users 512 Jan 16 13:13 /home/anonftp/home/anonftp
3) Ensure the Match block is set the way you want it.
Match User anonftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home/anonftp
If you wanted to allow full on connections (not just sftp) you would also
need to set up tty devices and such in the chroot jail. Since this is just
sftp, the above should be sufficient.
This is how I have it set up on my system, and it works fine.
Hope this helps!
