Stefano’s Stuffs

Fast ssh/sftp jail

In the last 48 hours I performed the installation of a large ftp/stp/ssh server; everything works ok except that, for some obscure reasons, I cannot deny to a connected user the access of the directories’ list; I’ve tried PureFtpd, Vsftpd, Proftpd and all the instructions related to chrooting an user by adding commands in the various configuration files…Don’t know why but it didn’t work!!It never happened before…So I think about another solution and…Voilà, ultrafast Ubuntu server with Proftpd and the hi-power of scponly:

1 – Install a Ubuntu server (preferably 8.04 or 8.10, for immediately install ssh server during the first process)

2 – Make a user during installation and leave all other settings by default

3 – Give to your server a static ip (sometimes ifconfig sucks, just in case install webmin and change the network from it using your browser) and do a sudo apt-get update

4 – Let’s do sudo apt-get install scponly

5 – Immediately reconfigure the software for the chroot version with sudo dpkg-reconfigure -plow scponly and answer “YES” to the menu

6 – Go to /usr/share/doc/scponly/setup_chroot and sudo gunzip the .gz file inside the directory

7 – Do sudo chmod + x and launch it with sudo ./

8 – Follow the instructions and add a totally new user (choosing the home and the incoming directory, the only one where the user can write!)

9 – Do sudo apt-get install proftpd and configure it by editing the /etc/proftpd/proftpd.conf (google for the configuration, but it’s sufficient to edit the name of the server, uncomment “DefaultRoot” and few others) and let’s restart it with sudo /etc/init.d/proftpd restart

10 – Log in with some sftp client like Filezilla to the hostname on port 22 with the username and password of the scponly user. Voilà, you see few directories, you cannot go anywhere and the only interesting thing is to up/down to the incoming dir;-)


October 15, 2008 - Posted by | computer | , , , , , , , , , ,


  1. Excellent howto, but can you explain why the proftpd part is necessary? Since openssh is actually the daemon serving the ssh/sftp connections, this seems extraneous.

    Comment by Farris | January 13, 2009 | Reply

  2. Hi Farris!
    In this case I choose Proftpd because I think it’s a very nice/customizable ftp server and was perfect for my need, as people can download files even from a browser by input ftp://

    Comment by stefanomatic | January 15, 2009 | Reply

  3. Looks to me like proftpd is irrelevant to ssh/sftp, you’re merely providing unsecured (and unencrypted password connection) FTP access to system users.

    Comment by SecureUser | February 8, 2009 | Reply

  4. Hi Secureuser!You’re right, proftpd is near irrelevant for ssh access, but in my environment I needed a sort of “ssh PLUS ftp” in a jail…So that was the fast way to produce something simple “all toghter” solution.Bye!

    Comment by stefanomatic | February 26, 2009 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: