RSA authentication with chrooted sFTP – authorized_keys location

There’s something slightly annoying about the default location of the authorized_keys file when you’re working with chrooted sFTP.

The user’s home directory is relative to the chroot jail, however, the authorized_keys file default location (%h/.ssh/authorized_keys) is relative to the root of the server (even though the path is %h, rather than /%h).  (To be clear, %h = home directory.)

So, for example, you have the following setup:

username = sftp
chroot jail = /home/sftp/jail/
home directory = /upload
(therefore actual directory = /home/sftp/jail/upload)

(I use a folder upload as the home directory as the root of the chroot jail cannot be writable, as it has to be owned by root – if you create an additional directory owned by user sftp and direct them into their by default when they log in, they can then read and write to that directory without having to change directories to do anything.)

In this setup, using the default ssh authorized_keys file location, you need to create a new directory /upload in the root of your server just to store the authorized_keys file of this user…not a great solution.

So what to do?  Change the default location of the authorized keys file; I’ve done the following:

/usr/local/share/keys/sftp/.ssh/authorized_keys (create additional directories for each user that needs to use sFTP OR SSH)

And then in the /etc/ssh/sshd_config file, you can use the following for the authorized_keys:

/usr/local/share/keys/%u/.ssh/authorized_keys

Obviously move the authorized_keys from the default location of /home/sftp/.ssh/authorized_keys to this new location, and make sure your user (sftp in this case) is the owner of the file.  Do this for all users of sftp or ssh.

Restart ssh and you’re done.

Leave a Reply

Your email address will not be published. Required fields are marked *