using OpenSSH/SFTP to replace an FTP server securely

IMAP List Administration lists at
Mon May 19 11:31:00 EST 2014

Hello Folks,

I'm trying to replace an FTP with several hundred users with something secure.

My requirements:
    - transfers must be logged
    - users should not have any access to other users' directories
    - users should land in a writable directory
    - users should be chrooted

I've been trying to get this working with OpenSSH and the internal SFTP server,
but it does not seem possible....

If I chroot each user using "ChrootDirectory /home/%u", there are two problems:

    1) the user lands in a directory to which he cannot write
    2) I would need hundreds of syslog logging sockets, one in each user's
chrooted environment

if I chroot all users to the same top directory, for example "/home",
which would solve the problem of avoiding hundreds of syslog logging sockets, I
have found no method of having OpenSSH chdir into a user-specific subdirectory
(I would be willing to rely on the standard UNIX security model to restrict
users' access to their own directories).

Have I missed something, or is what I'm trying to achieve simply not possible
using OpenSSH?

I do not really want to get into bind-mounting all sorts of crap from outside
the chroot envonment to get stuff to work, particularly not for hundreds of
users. If "sftp-server" solve the problem in conjunction with a single chroot
top directory, I would be willing to bind-mount (or copy) what it needs, but I
have not found any way of getting sftp-server to satisfy the above requirements.

The platform is CentOS 6.5 (x86_64).

"ssh -V" reports:

    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013



More information about the openssh-unix-dev mailing list