On 13. sep. 2010, at 13.17, Joachim Schipper wrote: > On Mon, Sep 13, 2010 at 10:59:56AM +0200, Pete Vickers wrote: >> I'm trying to set up a box such that normal users are chroot'd to their home >> directories, and can only use sftp. > >> Any clues what I'm doing wrong ? Google seems to hint that the chroot >> directory might have to be owned by root, but that seems strange, >> since users couldn't then write files in their own home ? > > A chroot jail where the new root isn't owned by the root user is > effectively impossible to secure. Set the home directories to > /home/<user>/files and chroot to /home/<user>, or somesuch. > >
Hmm. Messy. But even if I set like this: r...@container ~> tail /etc/ssh/sshd_config # all non-wheel users should be chrooted to home and sftp only # Match Group !wheel ForceCommand internal-sftp ChrootDirectory /home AllowTcpForwarding no X11Forwarding no r...@container ~> ls -la /home total 28 drwxr-xr-x 7 root wheel 512 Sep 10 12:46 . drwxr-xr-x 14 root wheel 512 Jul 25 13:43 .. drwxr-xr-x 3 fred fred 512 Sep 10 12:05 fred ... normal users can still ssh in, and are not chroot'd. What am I doing wrong ? /Pete