Differences

This shows you the differences between two versions of the page.

--- ftp:setup_chroot_sftp [2016/10/18 14:09] – [7. Restart sshd and Test Chroot SFTP] peter
+++ ftp:setup_chroot_sftp [2019/11/29 14:30] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== FTP - Setup chroot SFTP ======
-Setup a SFTP Chroot Jail that will be used only to transfer files (and not to ssh to the system).
-In a typical sftp scenario (when chroot sftp is not setup), if you use sftp, you can see root’s file as shown below.
-If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp.  Instead, you should setup Chroot SFTP Jail as explained below.
-===== Non-Chroot SFTP Environment =====
-In the following example (a typical sftp environment), john can sftp to the system, and view /etc folder and download the files from there.
-<code bash>
-sftp john@example.com
-john@example.com password:
-sftp> pwd
-Remote working directory: /home/john
-sftp> ls
-projects  john.txt documents
-sftp> cd /etc
-sftp> ls -l passwd
--rw-r--r--    0 0        0            3750 Dec 29 23:09 passwd
-sftp> get passwd
-Fetching /etc/passwd to passwd
-/etc/passwd     100% 3750     3.7KB/s   00:00
-</code>
-===== Chroot SFTP Environment =====
-In the following example, john can sftp to the system, and view only the directory that you’ve designated for john to perform sftp (i.e /incoming).
-When john tries to perform ‘cd /etc’, it will give an error message.  Since SFTP is setup in an chroot environment, john cannot view any other files in the system.
-<code bash>
-# sftp john@example.com
-john@example.com password:
-sftp> pwd
-Remote working directory: /home/john
-sftp> ls
-sftp> cd /etc
-Couldn't canonicalise: No such file or directory
-</code>
-Now that you know what Chroot SFTP environment is, let us see how to set this up.
-===== 1. Create a New Group =====
-Create a group called sftpusers.  Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
-<code bash>
-groupadd sftpusers
-</code>
-===== 2. Create Users (or Modify Existing User) =====
-Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.
-The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
-<code bash>
-useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
-passwd guestuser
-</code>
-Verify that the user got created properly.
-<code bash>
-grep guestuser /etc/passwd
-guestuser:x:500:500::/incoming:/sbin/nologin
-</code>
-If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:
-<code bash>
-usermod -g sftpusers -d /incoming -s /sbin/nologin john
-</code>
-On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this [[http://www.thegeekstuff.com/2011/06/windows-sftp-scp-clients/|top 7 sftp client list]].
-===== 3. Setup sftp-server Subsystem in sshd_config =====
-You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).
-Modify the the /etc/ssh/sshd_config file and comment out the following line:
-<file bash /etc/ssh/sshd_config>
-#Subsystem       sftp    /usr/libexec/openssh/sftp-server
-</file>
-Next, add the following line to the /etc/ssh/sshd_config file
-<file bash /etc/ssh/sshd_config>
-Subsystem       sftp    internal-sftp
-</file>
-Check that the change is correct:
-<code>
-grep sftp /etc/ssh/sshd_config
-#Subsystem      sftp    /usr/libexec/openssh/sftp-server
-Subsystem       sftp    internal-sftp
-</code>
-===== 4. Specify Chroot Directory for a Group =====
-You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
-<code bash>
-# tail /etc/ssh/sshd_config
-Match Group sftpusers
-        ChrootDirectory /sftp/%u
-        ForceCommand internal-sftp
-</code>
-In the above:
-  * Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
-  * ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
-  * ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
-===== 5. Create sftp Home Directory =====
-Since we’ve specified /sftp as ChrootDirectory above, create this directory (which is the equivalent of your typical /home directory).
-<code bash>
-mkdir /sftp
-</code>
-Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.
-<code bash>
-mkdir /sftp/guestuser
-</code>
-So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.
-So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.
-<code bash>
-mkdir /sftp/guestuser/incoming
-</code>
-===== 6. Setup Appropriate Permission =====
-For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.
-Set the ownership to the user, and group to the sftpusers group as shown below.
-<code bash>
-chown guestuser:sftpusers /sftp/guestuser/incoming
-</code>
-The permission will look like the following for the incoming directory.
-<code bash>
-ls -ld /sftp/guestuser/incoming
-drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
-</code>
-The permission will look like the following for the /sftp/guestuser directory
-<code bash>
-ls -ld /sftp/guestuser
-drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser
-# ls -ld /sftp
-drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
-</code>
-===== 7. Restart sshd and Test Chroot SFTP =====
-Restart sshd:
-<code bash>
-service sshd restart
-</code>
-Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.
-<code bash>
-sftp guestuser@example.com
-guestuser@example.com password:
-sftp> pwd
-Remote working directory: /incoming
-sftp> cd /
-sftp> ls
-incoming
-</code>
-When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.