Skip to main content

Mounting a directory over the newtork as a chrooted user

Create a new system user that will be restricted to SSHFS mounting.

sudo adduser sshfsuser --shell /usr/sbin/nologin

Sort permissions of the restricted user's home folder

sudo chown root:root /home/share
sudo chmod 755 /home/share

Due to chrooting the home directory isn't accessible to the user. Make a directory inside home. This directory will be the remote mountpoint (in this case /home/share/data).

sudo mkdir -p /home/share/data
sudo chown share:share /home/share/data
sudo chmod 755 /home/share/data

Restrict Commands via SSH ForceCommand

sudo nano /etc/ssh/sshd_config

Add the following lines at the end (adjust the path and username):

Match User share
    ForceCommand internal-sftp
    ChrootDirectory /home/share
    PermitTTY no
    X11Forwarding no
    AllowTcpForwarding no

Generate SSH Key Pair (On the Client Machine)

ssh-keygen -t rsa -b 4096 -f ~/.ssh/share_key

To get the public key on your local machine (where it was generated just use cat and copy and paste in into /home/sshfsuser/.ssh/authorized_keys on the remote machine.

Restrict SSH Key in authorized_keys (On the Remote Machine)

sudo nano /home/share/.ssh/authorized_keys

Prepend this to the public key (this is the final authorized_keys)

command="internal-sftp",no-pty,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAB3... user@client

Check SSH Configuration (sshd_config) on the remote server

sudo nano /etc/ssh/sshd_config

Make sure this line exists and is not commented out (#):

Subsystem sftp /usr/lib/openssh/sftp-server

or

Subsystem sftp internal-sftp

Test

sshfs -o IdentityFile=/path/to/private/key/share_key $user@$yourserver:/mountpoint_relative_to_chroot/ /local/mountpoint

Allow Other Users to Access the Mount

sudo nano /etc/fuse.conf

Uncomment this line

user_allow_other

Add setting to /etc/fstab to automount the dir when it's requested by the file browser (not on boot to avoid delays).

$user@$address:/remote_mountpoint_relative_to_chroot /path/to/local/mountpoint fuse.sshfs noauto,x-systemd.automount,_netdev,IdentityFile=/path/to/private/key share_key,uid=1000,gid=1000,al>



No Comments
Back to top