Windowsserverdocs: How do i set the ChrootDirectory for a specific user (not system wide)?

Created on 31 Aug 2020  Â·  13Comments  Â·  Source: MicrosoftDocs/windowsserverdocs

So i know you can set the CHROOT in a system wide config file located in C:\ProgramData\ssh\sshd_config. Is it possible to set this for a specific user individually?

Most helpful comment

Thank you very much for your help @konstruktoid. This solved my issue!

All 13 comments

@Dragane . Which article are you referring?

Very likely that this is about one of the OpenSSH pages.
Would be nice to know which one, though.

@konstruktoid : Would you happen to know what the OP is asking for, or do you think their question belongs to one of the Microsoft forum pages?

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/administration/OpenSSH/OpenSSH_Server_Configuration.md

ChrootDirectory (Support added in v7.7.0.0)

This directive is only supported with sftp sessions. A remote session into cmd.exe wouldn't honor this. To setup a sftp-only chroot server, set ForceCommand to internal-sftp. You may also set up scp with chroot, by implementing a custom shell that would only allow scp and sftp.

It's basically

sshd_config:

Subsystem     sftp   internal-sftp
Match Group sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

and a user added to the sftp will be chrooted, if home directory et al exists.

Thank you guys and sorry for not replying earlier.
So yes i was refering to the article that @konstruktoid mentioned. I also found instructions on:
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration#allowgroups-allowusers-denygroups-denyusers

Question for @konstruktoid:
So i create lets say that i create the Windows group called sftp. I want each windows user from this group to have it's own chroot directory. And that directory shouldn't be user home directory, but rather a folder on the C: drive. How would i do this? Because from your example i assume that each user would get their own home directory as a chroot direcotry (%h).

@Dragane, remove the %h token and add the folder path, e.g. ChrootDirectory C:\MyDataRoot.
https://github.com/PowerShell/Win32-OpenSSH/issues/190#issuecomment-662879084 and https://github.com/PowerShell/openssh-portable/pull/308#issuecomment-391884272 might be helpful as well.

Ok so i set the following in my C:\ProgramData\sshsshd_config

ForceCommand internal-sftp
Match User init
ChrootDirectory C:\sftp_repo

This makes the windows user called init to have the access to C:\sftp_repo.

Now can you tell me what line to add, to make a user called lets say "dev" to have the access to some other folder, lets say C:\devrepo\?

Shall i edit maybe some other file than C:\ProgramData\sshsshd_config?

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration#match can surely be expanded, but it's documented in the sshd_config manual, e.g https://manpages.ubuntu.com/manpages/focal/en/man5/sshd_config.5.html:

Match   Introduces a conditional block.  If all of the criteria on the Match line are
             satisfied, the keywords on the following lines override those set in the global
             section of the config file, until either another Match line or the end of the file.
             If a keyword appears in multiple Match blocks that are satisfied, only the first
             instance of the keyword is applied.

Example:

Match User init
   ChrootDirectory C:\sftp_repo
   AllowTcpForwarding no

Match User dev
   ChrootDirectory C:\devrepo
   AllowTcpForwarding no

Thank you very much for your help @konstruktoid. This solved my issue!

@Dragane : Do you find that the information provided is needed in the documentation, or do you see it as an off-hand, random issue?
If your issue/case is common and the information is needed by others, we may want to reopen this ticket.

I just used the example that Thomas provided and it was exactly what I was
looking for.

I didn't even have to read the documentation provided.

On Thu, Sep 10, 2020, 18:20 Trond B. Krokli notifications@github.com
wrote:

@Dragane https://github.com/Dragane : Do you find that the information
provided is needed in the documentation, or do you see it as an off-hand,
random issue?
If your issue/case is common and the information is needed by others, we
may want to reopen this ticket.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windowsserverdocs/issues/4766#issuecomment-690436318,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ALJSDA5N62B3N3RBWOU7AUTSFD4EFANCNFSM4QQSVWQQ
.

OK. Fair enough. No documentation involved, I see.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

bryhall picture bryhall  Â·  3Comments

alanmreagan picture alanmreagan  Â·  5Comments

wilsonnkwan picture wilsonnkwan  Â·  4Comments

SimonWaters picture SimonWaters  Â·  5Comments

janis-veinbergs picture janis-veinbergs  Â·  5Comments