Set Initial Remote Working Directory in SFTP
When not using chroot or internal-sftp, the OpenSSH package uses a program named sftp-server
to handle incoming SFTP sessions. The documentation for sftp-server lists a command-line option for the starting directory:
-d start_directory
specifies an alternate starting directory for users. The pathname may contain the following tokens that are expanded at runtime: %% is replaced by a literal '%', %d is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. The default is to use the user's home directory. This option is useful in conjunction with the sshd_config(5) ChrootDirectory option.
That documentation also applies to the internal-sftp
subsystem, so you can also use this option with that. Note that you should specify the starting directory relative to the chroot, not the system's actual root:
Subsystem sftp internal-sftp -u 0007 -l INFO -d /fileshere
Related videos on Youtube
pgn674
Updated on September 18, 2022Comments
-
pgn674 almost 2 years
I am running Amazon Linux AMI (Red Hat derivative), and am creating a new SFTP server using OpenSSH. I would like for the SFTP user to be restricted to a directory, and to be able to write to the initial directory that is shown by their SFTP client.
I am using ChrootDirectory to chroot the user to
/home/customers/srgcompany
. That means that this directory has to be owned by root and only writable by root. The user's passwd entry looks likefflintstone:x:508:515:Fred Flintstone:/home/fflintstone:/sbin/nologin
. I have placed the user's public key in/home/fflintstone/.ssh/authorized_keys
. I've created a folder that the user's group (srgcompany
) has read/write/execute/sgid permission on at/home/customers/srgcompany/fileshere
. I've configured OpenSSH's SFTP withSubsystem sftp internal-sftp -u 0007 -l INFO
.So right now, when the user uses an SFTP client to connect, the directory that gets shown (and is returned by the pwd command) cannot be written to. The user can cd to the fileshere folder, and write there. Is there any way to make that fileshere folder be the initial remote working directory as soon as the user SFTP's in, like in the example below? Or, can I make the chrooted folder be writeable?
What I want:
$ sftp sftpserver.sssprockets.com Connected to sftpserver.sssprockets.com. sftp> pwd Remote working directory: /fileshere
Any help is much appreciated.
-
pgn674 about 9 yearsAwesome, that worked perfectly. Thank you very much.