Here's how to setup rssh on Ubuntu, to allow sftp only with a chroot directory. Note that these instructions are for Ubuntu Server 9.04 x64, other versions may require c
First, add the rssh package.
sudo apt-get install rssh
Second, edit /etc/rssh.conf. Uncomment the
#allowsftp line and one of the
#chrootpath lines, and set the chrootpath to wherever you want your top-level chroot directory.
Third, modify or add whichever users you want to access using sftp and set their shell to /usr/bin/rssh.
Fourth, setup the chroot environment, which includes copying the following from the main system into your chroot directory:
./etc/ld.so.cache ./etc/resolv.conf ./etc/ld.so.conf.d/x86_64-linux-gnu.conf ./etc/ld.so.conf.d/libc.conf ./etc/ld.so.conf ./etc/passwd ./etc/group ./etc/nsswitch.conf ./etc/rssh.conf ./usr/bin/rssh ./usr/lib/libgssapi_krb5.so.2.2 ./usr/lib/rssh/rssh_chroot_helper ./usr/lib/openssh/sftp-server ./usr/lib/libk5crypto.so.3.1 ./usr/lib/libkrb5support.so.0.1 ./usr/lib/libkrb5.so.3.3 ./lib/libutil-2.9.so ./lib/libz.so.184.108.40.206 ./lib/libpthread-2.9.so ./lib/libdl-2.9.so ./lib/libnsl-2.9.so ./lib/libcrypt-2.9.so ./lib/ld-2.9.so ./lib/libresolv-2.9.so ./lib/libnss_files-2.9.so ./lib/libc-2.9.so ./lib/libkeyutils-1.2.so ./lib/libcom_err.so.2.1 ./lib/libnss_compat-2.9.so ./lib/libcrypto.so.0.9.8
Additionally, setup these links, again copying what's setup in the main system.
./usr/lib/libkrb5support.so.0 ./usr/lib/libgssapi_krb5.so.2 ./usr/lib/libk5crypto.so.3 ./usr/lib/libkrb5.so.3 ./lib/ld-linux-x86-64.so.2 ./lib/libutil.so.1 ./lib/libkeyutils.so.1 ./lib/libnss_files.so.2 ./lib/libnsl.so.1 ./lib/libcom_err.so.2 ./lib/libdl.so.2 ./lib/libc.so.6 ./lib/libz.so.1 ./lib/libresolv.so.2 ./lib/libpthread.so.0 ./lib/libnss_compat.so.2 ./lib/libcrypt.so.1 ./lib64
You may want to strip out users/groups you don't want visible from the etc/passwd and etc/group files.
Fifth, create a dev directory in your chroot directory, then create a /dev/null in it as follows.
mknod -m 666 dev/null c 1 3
Sixth, edit /etc/default/syslogd and update the
SYSLOGD="" line as follows.
SYSLOGD="-a /[chroot dir]/dev/log"
Then restart syslogd.
sudo /etc/init.d/sysklogd restart
Note that if you add users/groups to the system /etc/passwd and /etc/group files they will need to be copied again (possibly just the new lines) into the appropriate files in the chroot directory's etc.