My Hugo Journey

HOME

Chroot OSX High Sierra 10.13.6 SFTP Server

January 28, 2020

Remote Login is a feature in Mac OS X’s Sharing preferences that allow remote users to connect to a Mac in a secure fashion. Additionally, it includes and enables the SFTP server, which is the secure replacement for FTP.

Notes:
By enabling SFTP in sharing preferences the SSH server will be disabled.
You will need to stop and restart the server a few times:

Terminal:
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd

System Preferences - users

Create a group sftpgroup
Create a standard user sftpuniversal

System Preferences - sharing

Allow ssh remote login for sftpuniversal (or all users)

SFTP server configuration.

Terminal:
sudo pico /etc/ssh/sshd_config
sshd_config,v 1.103 2018/04/09

# override default of no subsystems
# Subsystem sftp /usr/libexec/sftp-server
# Subsystem sftp internal-sftp -l VERBOSE -f LOCAL3
Subsystem sftp internal-sftp
Match User sftpuniversal
Match Group sftpgroup
ForceCommand internal-sftp
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no

Configure folders:

Terminal
sudo mkdir /chroot
sudo mkdir /chroot/bin
sudo cp /bin/bash /chroot/bin
sudo cp /bin/sh /chroot/bin
sudo mkdir /chroot/sftpuniversal
sudo mkdir /chroot/sftpuniversal/fruitbox
Note: Choose any name you like for the 'fruitbox' folder.
sudo chroot -u sftpuniversal /chroot

Chroot

Verify that you are restricted (chrooted) to the fruitbox folder alone, and cannot access files or folders in other areas of the remote server.

Permissions

Verify that you can upload and download files and folders via the fruitbox folder. You may have to adjust the permissons on the remote server fruitbox folder using Get Info.

Login using an SFTP client.

Host: sftp://xxx.xxx.xxx.xxx (The IP address of the remote SFTP server.)
Username: sftpuniversal
Password: The password you chose when you created user sftpuniversal on the remote server.
Port: 22
Remote Directory: /fruitbox


FTP operates on two different Transmission Control Protocol (TCP) ports: 20 and 21. FTP ports 20 and 21 must both be open on the network for successful file transfers.

SFTP usually uses port 22 but can be configured to run on nearly any port. Port 22 is generally used for connection via SSH. SFTP is just one of protocols which can be run over SSH (others include virtual terminal). In fact, the SFTP is independent and can be run even without using SSH.

SFTP is sometimes called Secure FTP, which leads to a common confusion with FTPS (which is called Secure FTP too).