The below will allow sftp with no password and chroot user into users directory using jailkit.

Host server

[html]
ssh-keygen -t rsa
[/html]

Copy public key to remote server:

[html]
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotehost
[/html]

This puts the public keys into the remote servers home directory of the specified user. Usually inside .ssh/authorized keys. *make sure the remote user has already been added

To manually copy a key or insert a public key passed by a customer:

[html]
scp ~/.ssh/id_rsa.pub root@remoteserver:/root
[/html]

Remote server

2. Inside the specified users home directory create a .ssh directory

[html]
mkdir /home/userdir/.ssh
[/html]

3. Create a file called authorized_keys inside .ssh

[html]
touch /home/userdir/.ssh/authorized_keys
[/html]

4. Insert the contents of id_rsa.pub into authorized_keys

[html]
cat /root/id_rsa.pub >> /home/userdir/.ssh/authorized_keys
[/html]

This will give remote access to the remote server and drop you into the users directory

[html]
vim /etc/passwd
[/html]

Set the specified user /bin/false e.g.

[html]
user:x:5001:5002::/path/to/directory/web:/bin/false
[/html]

Now we need to modify the sshd_config file:

[html]
vim /etc/ssh/sshd_config
[/html]

Change Subsystem sftp /usr/lib/openssh/sftp-server to

[html]
Subsystem sftp internal-sftp
[/html]

*Append the following to the bottom of the file:*

[html]
Match Group sftp
ChrootDirectory /path/to/directory/web
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
[/html]

Now we need to set ownership and permissions:

[html]
chown user:root /home/user

chown user:root /home/user/.ssh

chown user:root /home/user/.ssh/authorized_keys

chmod 775 /home/user

chmod 700 /home/user/.ssh

chmod 600 /home/user.ssh/authorized_keys
[/html]

That should be everything. Try to ssh or sftp to the remote host from the original host. You should be dropped straight into the specified directory and unable to move anywhere outside of it.

Written by Matt Cooper
Hi, I'm Matt Cooper. I started this blog to pretty much act as a brain dump area for things I learn from day to day. You can contact me at: matt@matthewc424.sg-host.com.