Creating SFTP users and jailing to chroot on CentOS - user authentication error

Solution 1:

It's a common pitfall:
All folders up to the chroot home must be owned and only writable by root user.
The folders cannot be group writable - even if the group is root.

Solution 2:

I found and successfully configured sftp on CentOS 6.5:

Edit sshd config:

vim /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server (comment out the default with "#")


Subsystem sftp internal-sftp
Match Group sftp-only
ChrootDirectory /var/www/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Exit and save.


mkdir /etc/skel2
groupadd sftp-only
getent group |grep sftp-only  (take note the GID (Group ID).  Here, in my example it's 500)

For a new user named "testuser" (member of the sftp-only group with GID 500):

useradd --base-dir /var/www --gid 500 --skel /etc/skel2 --create-home --shell /sbin/nologin testuser

(i use empty /etc/skel2 so no .bashrc etc is copied by default by CentOS)

mkdir -p /var/www/testuser/home/testuser

chown root:sftp-only /var/www/testuser
chmod 750 /var/www/testuser

chown root:root /var/www/testuser/home
chmod 755 /var/www/testuser/home

chown testuser:sftp-only /var/www/testuser/home/testuser
chmod 770 /var/www/testuser/home/testuser

So in this example, i made it to give secure access to external consulting firms that manage websites. You could after creating all this do:

mkdir /var/www/testuser/home/testuser/
chown testuser:apache /var/www/testuser/home/testuser/
chmod xxx (permissions to the website as needed, usually 750 so apache would get read access)

One could fine tune all this as needed.

Hope this helped!

Guy Boisvert IngTegration inc.