SSHFS question

Forum: LinuxTotal Replies: 6
Author Content

Feb 05, 2012
7:57 PM EST
Does anyone know how I can restrict the top level, root, directory for users accessing a public shared directory (via sshfs) to that directory. I can't find any way of doing that via sshd, so i'm thinking I may have to set up some sort of jail.

Feb 06, 2012
1:14 AM EST
Yes indeed. Set up a chroot jail and include in that jail the executables and libraries needed to support the sshfs access to your data. Your data also exists under the chroot jail.

Feb 06, 2012
1:42 AM EST
I was afraid of that. I just want to use sshfs to create a share. much the same as how an SaMBa works. I find sshfs so much more reliable, especially when sharing large files.

I can sort of do what I want by creating a user who's home directory is the share, and logging in from a remote machine using

sshfs user@server: /home/user/sharemountpoint

that mounts the users home directory which is, of course the share on "server". and it's perfect security by obscurity if the "user" doesnt know how to use sshfs (and the whole thing is controlled by a script at their end anyway), but the whole thing comes apart once you start using sshfs from the CLI.

Feb 06, 2012
1:56 AM EST
You might be able to do something like this to accomplish a limited chroot:

In /etc/ssh/sshd_config:

Match User my_user 
       ChrootDirectory /path/to/chroot/%u
       ForceCommand internal-sftp
       AllowTcpForwarding no
       X11Forwarding no
This will limit the user to sftp only and contain the user's access to a specific subdirectory.


Feb 06, 2012
2:05 AM EST
sftp is not sshfs. but this page explains how to combine the two:

greetings, eMBee.

Feb 06, 2012
3:50 AM EST
Thanks guys. What a complicated rimarole for something that could be covered by simply having a configuration option that foced sshfs to always mount the user's home directory.

for example a flag like Always_Use_Home_Directory=[yes/no] in sshd_config, perhaps combined with a match user

then if that was equal tp "yes", it wouldn't matter what was entered at the other end it would always act as if

"sshfs user@server: /home/user/sharemountpoint" had been used.


Feb 06, 2012
7:08 PM EST
You know.... that just might be worth mentioning to the pertinent devs.

If that seems presumptuous, you might start it as a "how do I ..." question.

You cannot post until you login.