Skip to content

spaulg/sftp-chroot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

src

src

 
 

.gitignore

.gitignore

 
 

AUTHORS

AUTHORS

 
 

COPYING

COPYING

 
 

ChangeLog

ChangeLog

 
 

INSTALL

INSTALL

 
 

LICENSE

LICENSE

 
 

Makefile.am

Makefile.am

 
 

Makefile.in

Makefile.in

 
 

NEWS

NEWS

 
 

NOTICE

NOTICE

 
 

README

README

 
 

README.md

README.md

 
 

aclocal.m4

aclocal.m4

 
 

compile

compile

 
 

config.guess

config.guess

 
 

config.h.in

config.h.in

 
 

config.sub

config.sub

 
 

configure

configure

 
 

configure.ac

configure.ac

 
 

depcomp

depcomp

 
 

install-sh

install-sh

 
 

missing

missing

 
 

Repository files navigation

SFTP Chroot

Restricts users to their home directory when making SFTP connections. SSH access is revoked.

Usage

To root a user to their home directory, simply change their shell to the sftp-chroot binary, using the command:

usermod -s /bin/sftp-chroot <user>

This will restrict all command line shell access and ensure that when they make an SFTP connection, their file access will be restricted to their home directory with a path of /.

Installation

Binaries are not distributed. You'll need to compile the binaries from source. This is done using the normal autotools packages.

To compile:

./configure
make

Then with administration privileges, run:

make install

How It Works

The /bin/sftp-chroot binary is installed as a user shell. It acts as a mediator between the sftp-server process and the client connection. Each end of the connection has a stdin and stdout (2 of each, making 4 streams in total). Each stdout stream is appropriately parsed by the sftp-chroot binary for packets, which are modified and rewritten back to the input stream of the other end of the connection.

Outgoing packets from the server to the client have their directory paths adjusted to remove the home directory, whilst incoming packets are adjusted to add the users home directory.

This forces all communications to be restricted to the users home directory.

The process works because the sftp-chroot shell is above the encryption of SSH but below the SFTP server.

Motivations

This project was a university dissertation to root a user SFTP connection for security purposes.

Modern versions of OpenSSH have the ability to root a users connection, however a need existed to achieve the same effect on older versions of OpenSSH running on deprecated server software with a desire to keep the version of OpenSSH running for ease of administration purposes.

If you have a version of OpenSSH that can perform rooting of the user connection to their home directory, then it should be used over this project as this project imposes a small performance penalty to connection speed on file access.

License

Copyright 2013 Simon Paulger spaulger@codezen.co.uk

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

Restricts users to their home directory when making SFTP connections. SSH access is revoked.

Resources

Readme

License

Apache-2.0, GPL-2.0 licenses found

Licenses found

Apache-2.0
LICENSE
GPL-2.0
COPYING
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages