Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a chrooted SSH/SFTP server on OS X UNIX
By following these directions -- with the BIGGEST kudos to Masaki Ogawa, who is a credit to the Mac community -- you can use ssh and secure FTP (sftp) with chroot to enable truly secure file transfer. Both encrypt the session, and have it set so that sftp users won't have free run of the whole file system. I've tested this on OS X Server 10.3.5, and it worked like a charm, and without breaking anything.

You will need to have the Developer Tools (nee XCode) installed on your system for this to work.

Goodye, insecure old FTP. Hellooooo, security! Pass it on!

[robg adds: I haven't tested this one...]
    •    
  • Currently 2.33 / 5
  You rated: 1 / 5 (6 votes cast)
 
[42,067 views]  

Create a chrooted SSH/SFTP server on OS X | 12 comments | Create New Account
Click here to return to the 'Create a chrooted SSH/SFTP server on OS X' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a chrooted SSH/SFTP server on OS X
Authored by: chrootjames on Nov 04, '04 03:49:39PM

Hi, this is James, author of chrootssh. I use mac's for a lot of my work so I am thrilled to see some of my work listed here. Thanks!



[ Reply to This | # ]
My bad!
Authored by: SonyaLynn on Nov 04, '04 07:40:23PM

James...you're so right. I'm sorry I forgot to mention you and your help in the hint! You and Masaki-san helped this poor rookie sysadmin do something she didn't even know was possible more than a week ago—banish thath pesky FTP. Thanks for the great work!



[ Reply to This | # ]
Create a chrooted SSH/SFTP server on OS X
Authored by: Schwie on Dec 03, '04 11:50:41PM

SonyaLynn,

Thanks for posting the instructions...

I worked through your instructions, and I got as far as "Test" halfway down the page. When I attempted to check whether the new sshd-chroot works, I got the following error message:

ssh: connect to host localhost port 10022: Connection refused

I checked to make sure my firewall was turned off, and I also tried it with FTP on and off. Nothing. Any ideas for how I get around this? I'd really love to get this working.

Thanks!

Brad



[ Reply to This | # ]
Create a chrooted SSH/SFTP server on OS X
Authored by: mwnovak on Feb 02, '05 07:39:41PM

I tried this patch for OSSH-3.6.1 and it works beautifully: chrooted SSH, SCP, and SFTP.

Very, very nice. There were two things that I discovered along the way (I'm a Linux neophyte, so bear with me):

1) At least under OS 10.3(.7), you'll need to copy your new sshd into /usr/sbin/sshd-chroot (rather than the stated /usr/local/sbin/sshd-chroot, which doesn't exist).

2) The patched OpenSSH-3.6.1 would NOT compile using the gcc provided with XCode 1.0 and/or 1.1. After grabbing XCode 1.5 from Apple, everything was smooth.

Beyond that, it's worth noting that the mailing list discussions at http://chrootssh.sourceforge.net/ offer a wealth of information about configuring/tuning the resultant chrooted environment. Very helpful.

--MW

[ Reply to This | # ]

Create a chrooted SSH/SFTP server on OS X
Authored by: Schwie on Feb 10, '05 10:45:06PM

Thanks to SonyaLynn and mwnovak! I finally got this going on my machine... More advice...

I was trying to set up my sftp chroot so that each user would be confined to their own Home directory and not be able to see other users in the main "Users" directory. To do this, I had to copy three folders from the Users folder "etc", "bin", and "usr" and place them in each user's home directory that I wanted to jail to their home directory (these three folders were made when following the directions on the website recommended by SonyaLynn).

Finally, I had to go into NetInfo and change the "Home" path to "/Users/chet/./Sites" (for a user named chet). This will confine the user "chet" to his own home directory and when he logs in using an sftp client, he'll end up in his Sites folder. He'll be able to back up one directory level to see his entire Home folder, but thats as far as he's going.

Pretty slick! I'm tickled to finally have this working!!!



[ Reply to This | # ]
Create a chrooted SSH/SFTP server on OS X
Authored by: jahama on Feb 17, '05 09:34:14PM

Schwie,

Did you have to move any passwd files around? I got to the test portion and it tells me "Permission Denied" after I put my password in. I tested the password, and it works outside of SSH. I think I'm close if I can just figure this one out.

Thanks!
Jay



[ Reply to This | # ]
Create a chrooted SSH/SFTP server on OS X
Authored by: Schwie on Feb 25, '05 12:05:53AM
Jay,

No, I never had to move any passwd files from what I remember.

If you want a revised list of instructions in better english, I re-wrote the instructions, and these should work for you.

http://www.schwie.com/brad/macosxsftpchroot

Let me know if you hit anymore stumbling blocks. I'll add any recommendations you come up with.

When it works, its really slick! Best of luck to you.

Brad

[ Reply to This | # ]

Create a chrooted SSH/SFTP server on OS X
Authored by: bsiu922 on Mar 15, '05 08:41:41PM

Do I use the latest version of the OpenSSH or use the 3.6.1, i try a few time and still get the connection refused when i do the testing



[ Reply to This | # ]
Create a chrooted SSH/SFTP server on OS X
Authored by: jepler on Nov 19, '07 10:13:29AM
I recently got this to work on OS 10.3.9 after a few hiccups along the way. I posted my experience here (Mac OS X Server 10.3.9 and the Chroots of My Labor) if interested.

---
Jim Epler
San Diego, CA
[link:]http://mytechmusings.blogspot.com

[ Reply to This | # ]

Create a chrooted SSH/SFTP server on OS X
Authored by: pweil on Mar 14, '05 03:29:01PM
We can't seem to download the sourcecode from OpenDarwin:
$ cvs -d :pserver:anonymous@anoncvs.opendarwin.org:/Volumes/src/cvs/od co src/OpenSSH
cvs server: cannot find module `src/OpenSSH' - ignored
cvs [checkout aborted]: cannot expand modules
Perhaps there's a typo error here, but I can't find it. Anyone else seeing this problem?

[ Reply to This | # ]
Server Elves
Authored by: heavyboots on Aug 24, '05 10:49:44PM

So I managed to get this working, but to be perfectly honest, I'm not 100% sure how! (I should note that my friend hypothesizes server elves are the real reason, btw...) :-D

In 10.3.5 at least (what update?), I noticed that there seems to be something else that needs to be restarted or reloaded before the path changes take effect. Therefore, it seems like I only get one shot per day at getting the path right. I have no idea why this is, but I ended up giving up on it and going away for the weekend. When I came back, the exact same things that weren't working last week are now working perfectly and the only difference seems to be that I left it alone and the server did something--probably during periodic maintenance--to Make It All Better.

It is worth noting that when you're making users, it seems easiest to just use the Inspector part of the WGM to add a new Home property with the correct path. I had zero luck messing with the Home folder area.

And finally, if you're going to restrict the user to their Home folder, as mentioned by Schwei, you need to put the /bin, /etc, and /usr folder *inside* the user's Home folder. It is semantically a bit tricky but the original instructions actually do mention that "Following example is for chrooting to /Users", meaning that his example is setting it up so they will have access to everything inside /Users it looks like.

All in all though, I'm really really happy to have this working! Definitely makes my life easier and the server more secure.



[ Reply to This | # ]
One last note on CVS
Authored by: heavyboots on Aug 24, '05 10:52:42PM

BTW, the CVS step in the original instructions isn't working anymore. Just go to http://chrootssh.sourceforge.net and manually download the latest version from there and apply the patch.



[ Reply to This | # ]