chrooted SFTP access with OpenSSH
chroot jails ring-fence users, files, and processes. While the theory—privilege isolation for damage limitation—is singular, the practice has many techniques and a range of uses.
Let's employ OpenSSH's advanced functionality to limit an SFTP area that can be used to share files, for example to offer a developer safe access to our web files, complete with logging, and allowing us to disable the now-redundant FTP service and close its port.
You'll need at least OpenSSH 5.2 to gain from all the features used here.
Note
chroot is explained in Kernel level chroot hardening in Chapter 11.
If you're wondering why we're using SFTP, not FTP, read Chapter 5 where we also generated the authentication keys used with this method.
Assuming root for this section, we swap the export value for a username, create a group, add the user with a regular home directory (which he'll never see, but which will contain a public authentication key) and add the user to both his and the sftpusers...
