LQ Newbie Registered: Jun 2002 Location: L.A. Distribution: Fedora Posts: 24 Thank

Discussion in 'Server Operation' started by Angelito, Jan 30, 2009.

  1. Angelito

    Angelito New Member

    Hello community,

    I have ran a shell script to chroot SSH, this way users will not be able to browse directories and files out of the jail.

    The script can be found at:

    As indicated in:

    After installation I am able to successfully ssh my fedora box from a remote xp host using putty. Good! chrooted ssh is working, not the case of SFTP and SCP.

    Using the same process with WinSCP results in failure.
    Going after the logs I found out the following:

    Jan 28 23:41:15 localhost sshd[5454]: Accepted password for testuser from port 4385 ssh2
    Jan 28 23:41:15 localhost sshd[5454]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
    Jan 28 23:41:15 localhost sshd[5456]: subsystem request for sftp
    Jan 28 23:41:15 localhost sudo: testuser : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/chroot/home/testuser ; USER=root ; COMMAND=/usr/sbin/chroot /home/chroot /bin/su - testuser -c /usr/libexec/openssh/sftp-server
    Jan 28 23:41:15 localhost sshd[5454]: pam_unix(sshd:session): session closed for user testuser

    I cat my sudoers files and I find an entry for this user at the end of the file:
    testuser ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - testuser

    I cannot figure it out though.
    I lack knowledge editing this file.

    Any help, suggestion will be appreciated.

    Thank you
  2. falko

    falko Super Moderator ISPConfig Developer

  3. Angelito

    Angelito New Member


    Thank you falko,

    got it to work! (using the script)

    As reference I want to say that I found out that OpenSSH finally has natively support for isolating users to their home directories when using sftp.

    Reference links:



    I hope this would be a good reference for searches with the same sleepless drama I was going through.

    Angel/ ito / Naco
  4. falko

    falko Super Moderator ISPConfig Developer

    Yes, this has been implemented recently (some time after the tutorials were written). :)

Share This Page