来自 http://prefetch.net/blog/index.php/category/openssh/

I recently learned about the new ChrootDirectory in OpenSSH 5.2, and wanted to play around with it to see what it was capable of. To begin my quest, I started off by creating a couple of users that would be chroot’ed to their home directories when they logged into the server with sftp. Once the users were created, I added the following configuration stanza to my sshd_config file to chroot these users when they logged in with their sftp client:

>>>>> --------- 为了chroot的需要 ------------->>>

Match user u1,u2,u3 <<------ man sshd_config 可以匹配的方式有好几种，这里只是用到User方式
ChrootDirectory /home/%u <<--- 指定chroot的目录, %u 用户变量
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp <<---- 这个也很重要了，在man sshd_config有介绍

Once these directives where added, I started up the daemon in debug mode:

$ /usr/local/sbin/sshd -ddd -f /usr/local/etc/sshd_config   <<< 调试模式

Debug mode will cause the daemon to log verbosely to stdout, which is extremely useful for locating problems with new configuration directives. Now that the daemon was running, I tried to login with the user u1:

$ sftp -oPort=222 u1@192.168.1.15
Connecting to 192.168.1.15…
u1@192.168.1.15’s password:
Read from remote host 192.168.1.15: Connection reset by peer
Connection closed

The first attempt was a no go, but luckily verbose logging made debugging this issue a snap:

debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug3: safely_chroot: checking ‘/’
debug3: safely_chroot: checking ‘/home/’
debug3: safely_chroot: checking ‘/home/u1′
bad ownership or modes for chroot directory “/home/u1″

$ sftp -oPort=222 u1@192.168.1.15
Connecting to 192.168.1.15…
u1@192.168.1.15’s password:
sftp> pwd
Remote working directory: /
sftp> ls -l
drwxr-xr-x 2 1001 1001 4096 Mar 15 15:03 uploads
sftp> cd uploads
sftp> ls -l
-rw-r–r– 1 1001 1001 39655552 Mar 15 15:04 techtalk1.mp3
sftp> put techtalk2*
Uploading techtalk2.mp3 to /uploads/techtalk2.mp3
techtalk2.mp3 3% 3776KB 2.3MB/s 00:39 ETA^
sftp> ls -l
-rw-r–r– 1 1001 1001 5046272 Mar 15 15:11 techtalk2.mp3
-rw-r–r– 1 1001 1001 39655552 Mar 15 15:04 techtalk1.mp3

This is super useful, though building chroot jails for normal SSH sessions will require a bit more work (i.e., you need to populate the chroot directory with all the config files and binaries needed to run a typical shell session). Makejail can make this a WHOLE lot easier, and I am about to submit a patch to the makejail developers to allow it to work on Solaris hosts. OpenSSH rocks!

======================

$ sudo ls -dlh axlrose/
drwxr-x--- 5 root axlrose 216 08-19 14:27 axlrose/

用户目录设置三步曲
1 将该目录的 other权限全部清掉

2 将group的write去掉

3, 将 user 设置为root

$ sudo ls -l axlrose/
总计 4
drwxr-xr-x 2 root    axlrose 48 08-19 14:27 download
-rw-r--r-- 1 axlrose axlrose  9 08-19 14:23 this_is_axlrose_home.txt
drwxrwxr-x 2 root    axlrose 72 08-19 14:29 upload

注意权限位,对应upload 上传只是在 download的基础上group添加w权限

$ sudo tree axlrose/
axlrose/
|-- download
|-- this_is_axlrose_home.txt
`-- upload
`-- x.log

2 directories, 2 files

其中upload目录下的x.log是我使用sftp上传的

------------------

#Subsystem      sftp    /usr/lib/ssh/sftp-server  <<<-----注释掉
Subsystem       sftp    internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
Match  User axlrose  <<----只匹配用户
ChrootDirectory  /home/%u   <<<限制目录
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp  <<--- 一定要设置
---------------------------------------

Aug 19 14:39:08 bsd sshd[22383]: fatal: bad ownership or modes for chroot directory "/home/sftp"
修改权限后

drwxr-xr-x   2 root    sftp     512B  8 19 14:37 sftp

再使用sftp sftp@127.0.0.1 就可以进去了,经常测试,可以不一定非要清除用户目录的other权限

sftp> pwd
Remote working directory: /
sftp> ls
download               this_sftp_dir.txt      upload
sftp> lpwd
Local working directory: /home
sftp> lcd arch
sftp> put x.log
Uploading x.log to /x.log 
Couldn't get handle: Permission denied     <<--- 因为都没有写权限
sftp> pwd
Remote working directory: /
sftp> cd upload
sftp> put x.log                       <<--------创建download, upload目录
Uploading x.log to /upload/x.log
Couldn't get handle: Permission denied  <<--- 因为都没有写权限
sftp> put x.log          <<<--------- 将upload 的group权限添加w
Uploading x.log to /upload/x.log   
x.log                                                     100%  913     0.9KB/s   00:00

我BLOG记录的地址, 很乱 http://hi.baidu.com/3444542/blog/item/807c78114fc5c7cea7ef3fb1.html
以前折前过openssh for linux 是成功的,但一直没在FreeBSD下面试成功,看到有网友也在折腾这功能,就打算花点时间弄弄
结果在权限位上卡了很长时间,太菜了没办法, 记录下来分享一下,免得可能有的朋友也遇到此问题浪费时间.
大致过程如下:
一,使用adduser 新建一个叫sftp的用户, 用户目录在 /home/sftp
二,修改用户目录拥有者为root  , 将group的写权限给干掉
[code]
sudo chown root:sftp /home/sftp

sudo chmod g-w  /home/sftp
drwxr-xr-x   2 root    sftp     512B  8 19 14:37 sftp

[/code]

三, 在/home/sftp 目录下新建两个目录,分别为  download, upload
修改upload的组权限可写,为了上传使用,而download是没有write权限的,只能下载

四, /usr/ports/security/openssh-portable && sudo make config  在这里要要将openssh_chroot功能选项使能
make install clean
五,安装完成后,会看到有提示信息,注意,它可是安在/usr/local/bin 下的,而原来的sshd可是/usr/sbin/sshd 下,源代码是在/usr/src/下面的
接下来要做的是将 原先的sshd禁用,开启openssh-portable安装的sshd, 将/etc/rc.conf 里的sshd设置为sshd_enable="NO", 添加 openssh_enable="YES", 就完成了启动所必须的工具.

六. 重要的一点,需要修改的不是 /etc/ssh/sshd_config 而是 修改 /usr/local/etc/ssh/sshd_config 配置文件,切记别大意
[code]

# override default of no subsystems
#Subsystem      sftp    /usr/local/libexec/sftp-server  <<<< 原来的这行注释掉
Subsystem       sftp    internal-sftp   <<<---添加的新行

# Example of overriding settings on a per-user basis
Match User sftp              <<----   匹配用户为 sftp ,  man sshd_config 有更详细的介绍,还支持用户组,同进设置多用户等
ChrootDirectory  /home/%u   <<-------指定chroot的目录, %u 为转换成用户名, 也就是 /home/sftp 目录了,帮助上显示 %h就带表home了
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp     <<---- 添加这句  internal-sftp
#ForceCommand cvs server  <<--- 这句也注释掉

[/code]

大功告成,测试.
若有遗漏再补充,望请大虾们再指点一下

http://bbs3.chinaunix.net/thread-1547966-1-1.html 发到CU的网址