{{tag>SFTP chroot SSH}}

= Monter un serveur SFTP chroote avec OpenSSH

Voir : https://michauko.org/blog/sftp-chroot-et-pas-de-ssh-bloquer-un-utilisateur-dans-un-repertoire-1099/

Voir aussi : 
* [[draft-monter-un-serveur-sftp-ssh|Monter un serveur SFTP avec ProFTPd]]
* [[SSH SFTP chroot]]

<code bash>
mkdir -p /chroot/shared/
chown root:nsc /chroot
chmod 750 /chroot

useradd sftpuser -M -d /dev/null -s /sbin/nologin
# useradd is a low level utility for adding users. On Debian, administrators should usually use adduser(8) instead.

echo "/mnt/shared/ /chroot/shared/    none _netdev,bind 0 0" >> /etc/fstab
</code>

<code - /etc/ssh/sshd_config>
# Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem     sftp   internal-sftp

Match User sftpuser
        ChrootDirectory /chroot
        ForceCommand internal-sftp
        AllowTcpForwarding no
        GatewayPorts no
        X11Forwarding no
        PermitTunnel no
        AllowAgentForwarding no
        PermitTTY no

</code>

<code bash>
mount /chroot/shared/
systemctl restart sshd
systemctl status sshd
</code>


== Autres

The simplest way is to create some script that would take care of that. Add

<code ->
Match User test1
  ForceCommand /path/to/your/script.sh
</code>
And your script will basically run whatever the user wants, unless it is request for SFTP:

<code bash>
#!/bin/bash
if [[ "$SSH_ORIGINAL_COMMAND" =~ .*sftp-server.* ]]; then
   echo "SFTP not allowed"
   exit 255;
else
   exec "$SSH_ORIGINAL_COMMAND"
fi
</code> 

FIXME