On Mon, Jun 2, 2014 at 7:17 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Mon, 2 Jun 2014, Nico Kadel-Garcia wrote: > >> Unfortunately, I also find the restrictions for SFTP to be burdensome. >> To set up multiple chroot cages for multiple users, one has to either >> make user specific sshd_config settings > > that's incorrect > > mkdir -p /chroot/user_a/sftp /chroot/user_b/sftp > chown user_a /chroot/user_a/sftp ; chown user_b /chroot/user_b/sftp > > and in sshd_config: > > ChrootDirectory /chroot/%u > Subsystem sftp internal-sftp -d /sftp Interesting, but But it's certainly not in any of the documentation in the default OpenSSH for RHEL 6 or CentOS 6 which is still at OpenSSH 5.3p1. And it doesn't seem to work on that version. Building and maintaining a backported OpenSSH system is a lot of work. I've done it repeatedly, since my first work with SSH version 1 in 1996, and I don't recommend it for the faint of heart or those without compelling needs. I'm also afraid that your command line arguments are vulnerable to problems with individually set local 'umask' settings. I'd instead be sure to set the permissions as clearly as possible. Using the Gnu coreutils based "install" command, I would use: id -u user_a && id -g user_a && \ install -d /chroot/user_a -m 0755 -o root -g root && \ install -d /chroot/user_a/sftp -m 0700 -o user_a -g user_a id -u user_b && id -g user_b && \ install -d /chroot/user_b -m 0755 -o root -g root && \ install -d /chroot/user_b/sftp -m 0700 -o user_b -g user_b And if scripting it, I'd make it report error conditions more intelligently. I actually just went through tis with a test SFTP server. I'll look forward to a more recent version of OpenSSH that has the "-d" option for the "Subsystem sftp internal-sftp" settings. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev