OpenSSH using Cygwin with CHROOT support

Given how many sites I had to hit and how much experimentation I did to figure this one out (credits below) it seems like a good idea to document it somewhere. Making it available to the world is only right. :-)

The goal of this is to create an OpenSSH installation on Windows (using Cygwin) that forces each user into their own chroot "jail" where all they see is their own stuff. For an added bonus you can put this limit on select logins based on their group.

First cut is short on some details so I can get it out of my head and start the documentation.

1. Install Cygwin being sure to select the OpenSSH package
   
2. Create passwd and group with mkpasswd and mkgroup
   
3. Manually add a root user and group as follows:
   
   
   
   1. Root User
      
      
      
      1. Edit /etc/passwd and copy the "Administrator" user line.
         
      2. change "Administrator" to "root"
         
      3. change the uid and gid (usually 500 and 513 respectively) to 0 and 0
         
      
      
   2. Root Group
      
      
      
      1. Edit /etc/group and copy the "Administrators" group line
         
      2. change "Administrators" to "root"
         
      3. change the group id (usually 544) to 0, be sure to leave the second field alone
         
      4. move the "root" group above the "Administrators" group if it is not already
         
      
      
   
   
4. Create a chroot directory
   mkdir /jail
   
5. Change ownership of chroot to root:root
   chown root:root /jail
   
6. for each user to be chrooted
   
   
   
   1. create /jail/%user/home/%user
      
   2. make sure ownership of each directory in /jail/%user/home is root:root
      
   3. make sure ownership of /jail/%user/home/%user directory is %user:Users
      
   
   
7. Edit /etc/sshd_config and
   
   
   
   1. go to the bottom of the file
      
   2. Find Subsystem sftp and change it from "/usr/...." to "internal-sftp" (no path)
      

      
      Subsystem        sftp    internal-sftp
      

      
      
   3. Add (or edit existing) block at the bottom to look like
      

      
      # Example of overriding settings on a per-user basis
      Match Group your_sftp_only_group
       ChrootDirectory /jail/%u
       ForceCommand internal-sftp
       X11Forwarding no
       AllowTcpForwarding no
      

      
      
   
   

References:
To end up in writable directory


More windows setup help
Setting up pubkey auth
I include this reference but the ssh-host-config script that installs with Cygwin's OpenSSH should handle all this now.
http://www.blogger.com/img/blank.gif