Score:0

Double check if an SSH account is SFTP-only and chrooted

in flag

Note that this question is not about how to do chroot or make an account SFTP only. The question is about whether there are specific ways for a sysadmin to check if a chrooted and SFTP-only account is correctly set.

Usually I do chroot or SFTP-only settings following some online resources such as this one: https://wiki.archlinux.org/title/SFTP_chroot. But the issue is, unlike simply changing an option from No to Yes in a configuration file, I need to complete multiple steps to finish the chroot or SFTP-only settings. Since this is such a fundamentally important security setting, I am always thinking: Is my configuration correct? Do I miss something minor but critical?

Currently what I am doing to verify the correctness is very simple:

  • To validate an account is SFTP-only, I just try to login as a normal user and see if I can see a This service allows sftp connections only. message and get rejected.
  • To validate an account is properly chrooted, I login as an SFTP user and check if I can switch to a directory which the account is not supposed to get in (usually I just double-click many many times the .. item at the top of a file list on an SFTP client's GUI).

enter image description here

Are these two things the only things a sysadmin needs to do to be 100% sure that the settings are correct?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.