The below will allow sftp with no password and chroot user into users directory using jailkit.

Host server

 
ssh-keygen -t rsa 

Copy public key to remote server:

 
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotehost

This puts the public keys into the remote servers home directory of the specified user. Usually inside .ssh/authorized keys. *make sure the remote user has already been added

To manually copy a key or insert a public key passed by a customer:

 
scp ~/.ssh/id_rsa.pub root@remoteserver:/root 

Remote server

2. Inside the specified users home directory create a .ssh directory

mkdir /home/userdir/.ssh 

3. Create a file called authorized_keys inside .ssh

touch /home/userdir/.ssh/authorized_keys 

4. Insert the contents of id_rsa.pub into authorized_keys

cat /root/id_rsa.pub >> /home/userdir/.ssh/authorized_keys 

This will give remote access to the remote server and drop you into the users directory

vim /etc/passwd 

Set the specified user /bin/false e.g.

user:x:5001:5002::/path/to/directory/web:/bin/false

Now we need to modify the sshd_config file:

vim /etc/ssh/sshd_config

Change Subsystem sftp /usr/lib/openssh/sftp-server to

Subsystem sftp internal-sftp 

*Append the following to the bottom of the file:*

Match Group sftp
ChrootDirectory /path/to/directory/web
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp 

Now we need to set ownership and permissions:

chown user:root /home/user

chown user:root /home/user/.ssh

chown user:root /home/user/.ssh/authorized_keys

chmod 775 /home/user

chmod 700 /home/user/.ssh

chmod 600 /home/user.ssh/authorized_keys

That should be everything. Try to ssh or sftp to the remote host from the original host. You should be dropped straight into the specified directory and unable to move anywhere outside of it.

Written by Matt Cooper
Hi, I'm Matt Cooper. I started this blog to pretty much act as a brain dump area for things I learn from day to day. You can contact me at: matt@linuxtutorial.co.uk.