Setup Chroot SFTP in Linux. Securing SFTP
If you let your system as default and let one user to sftp access, the user can see root's file system. In this article we are going to explain how to secure the sftp access in order to jail the user in a specific directory.
We will setup SFTP Chroot Jail.
Non Chroot jail sftp scenario
This is the typical scenario (if we let the sftp configured as default), the user oracle can sftp to our system and view the whole file system.
[root@localhost home]# sftp oracle@localhost Connecting to localhost... oracle@localhost\'s password: ##### sftp> pwd Remote working directory: /home/oracle sftp> cd /opt sftp> ls -l drwxr-xr-x 3 root root 4096 Oct 31 22:40 ORCLfmap
The user logged could get all the files in the whole filesystem.
Chroot jail sftp scenario
Now we can see an example where the user is jailed in an specific directory and only can see the directory that we have specified.
If user tries to change the directory in example 'cd /opt' he will obtain an error.
[root@localhost ~]# sftp sftpuser@localhost Connecting to localhost... sftpuser@localhost's password: sftp> pwd Remote working directory: / sftp> cd /opt Couldn't canonicalise: No such file or directory sftp>
Create the sftp group
We are going to create a sftp group called sftpgroup and all the users that belongs to this group will be jailed into the sftp chroot directory.
[root@localhost home]# groupadd sftpgroup
Create the sftp users
Now we will create a system user that can only access to our system trough sftp protocol not ssh.
We will use useradd in order to create the user and assign it to the sftpgroup that we created the step before, we will set the home directory to /sftpdir and set the shell to /sbin/nologin (this is what we call a system user wich can't access through ssh and doesn't have any shell assigned).
[root@localhost ~]# useradd -g sftpgroup -d /sftpdir -s /sbin/nologin sftpuser
Configure the sftp-server subsysten (/etc/ssh/sshd_config file)
Now we will setup the sshd service to use the internal-sftp.
We have to edit the /etc/ssh/sshd_config file. With vi i.e.
We will comment the following line in /etc/ssh/sshd_config file
#Subsystem sftp /usr/libexec/openssh/sftp-server
Now insert into /etc/ssh/sshd_config the following line
Subsystem sftp internal-sftp
Chroot directory for a group in /etc/ssh/sshd_config file
We want to restrict only the users who belongs to sftpgroup into the chroot jail directory. We have to add the following lines at the end of /etc/ssh/sshd_config.
Match Group sftpgroup ChrootDirectory /sftpdir/%u ForceCommand internal-sftp
- Match Group sftpgroup - Makes that the following lines will be applied only to users that belongs to the sftpgroup. - Chroot /sftp/%u - Will be the path that be the chroot once the user is authenticated, %u is the user. In our example the directory will be /sftp/sftpuser. - ForceCommand internal-sftp - Force the internal sftp for this group.
Sftp home directory
Now we are going to create the sftp home directory /sftp
[root@localhost ~]# mkdir /sftpdir
We have to create one directory for every user, in our case sftpuser
[root@localhost /]# mkdir /sftpdir/sftpuser
The /sftpdir/sftpuser directory will be the / for the sftpuser, now we will create any directories that you want into /sftpdir/sftpuser that belongs to sftpuser and this is that the user will see once he is logged in.
[root@localhost /]# mkdir /sftpdir/sftpuser/mydir
Permissions for the sftp user directories
Now we set the owner for the /sftpdir/sftpuser/mydir directory to the sftpuser and sftpgroup as following:
root@localhost sftpuser]# chown sftpuser:sftpgroup /sftpdir/sftpuser/mydir/ [root@localhost sftpuser]# ls -lrt /sftpdir/sftpuser/ total 4 drwxr-xr-x. 2 sftpuser sftpgroup 4096 dic 10 18:29 mydir
Restart sshd daemon
[root@localhost sftpuser]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@localhost sftpuser]#
Test chroot sftp
[root@localhost ~]# sftp sftpuser@localhost Connecting to localhost... sftpuser@localhost's password: sftp> pwd Remote working directory: / sftp> sftp> ls mydir sftp>
If you enjoyed this article, you might also like
- Configure date time settings on Linux
- Create oracle user for installations
- Creating partitions greater than 2TB in Linux
- Crontab examples
- Fedora 17 Installation
- Grep examples
- Install Apache Tomcat 7 on Linux
- Install Hadoop on Linux
- Install JRockit 64bits on Linux
- Iptables Linux Firewall Start and Stop
- Linux ls command
- Linux Mint 14 Installation
- Linux Reference Cards
- Mageia 2 Installation
- Mount new disks Oracle Enterprise Linux
- Oracle Enterprise Linux 6.3 Installation
- Rotating Logs on Linux
- Setup Chroot SFTP in Linux. Securing SFTP
- Shell execute commands using all files listed (xargs vs while statement)
- SSH login without password