Wednesday, January 23, 2019

SFTP chroot

Issue

  • Restrict chroot users to sftp connections using ssh keys without affecting normal user's access.

Resolution

  • Configuring a SFTP server with chroot users and ssh keys

Server setup

  • Create the user on the server
    [root@server ~]# useradd user1
    [root@server ~]# passwd user1
    

Client setup

  • Copy the ssh key from the client to the server (The user does not have to exist on the client)
    [clientuser@client ~]$ ssh-copy-id user1@server
    
  • Verify the ssh key works correctly from the client
    [clientuser@client ~]$ ssh user1@server
    [user1@server ~]$ exit
    logout
    Connection to server closed.
    [clientuser@client ~]$ 
    
  • Verify that your sftp connection works without a password prompt
    [clientuser@client ~]$ sftp user1@server
    Connected to server
    sftp> quit
    [clientuser@client ~]$
    
Without making any changes, user1 has full access and can ssh or sftp and change to any directory. We'll now make the necessary changes
to chroot user1 and keep them jailed and locked down to a specified directory.

Server setup

  1. Create a new group to add all your jailed chroot users on the server
    [root@server ~]# groupadd sftpusers
    
  2. Create a common directory for all of your jailed chroot users
    [root@server ~]# mkdir /sftp
    
  3. Create a subdirectory for each individual user that you want to chroot
    [root@server ~]# mkdir /sftp/user1
    
  4. Create the "home" directory for the user
    [root@server ~]# mkdir /sftp/user1/home
    
  5. Modify the user to add them to the new group you created
    [root@server ~]# usermod -aG sftpusers user1
    
  6. Change permission for the users chrooted "home" directory only. It's important to leave everything else with the default root permissions.
    [root@server ~]# chown user1:sftpusers /sftp/user1/home/
    
  7. Modify the /etc/ssh/sshd_config file and add the following lines:
Subsystem   sftp    internal-sftp -d /home
Match Group sftpusers
ChrootDirectory /sftp/%u
  • Restart the sshd service
    • RHEL 7:
      [root@server ~]# systemctl restart sshd
      
    • RHEL 6
      [root@server ~]# service sshd restart
      

Client verification

  1. From the client, verify that everything is working now
    [clientuser@client ~]$ ssh user1@server
    Last login: Sat Jun 25 12:54:32 2016 from 192.168.122.1
    Could not chdir to home directory /home/user1: No such file or directory
    /bin/bash: No such file or directory
    Connection to server closed.
    [clientuser@client ~]$ 
    
    • The user can no longer connect via ssh. Let's try sftp
      [clientuser@client ~]$ sftp user1@server
      Connected to server.
      sftp> pwd
      Remote working directory: /home
      sftp> cd /etc
      Couldn't canonicalize: No such file or directory
      sftp> 
      
    • OK, the user can successfully connect via sftp and they are still restricted to their "home" directory
  2. Make sure a regular user can still log in via ssh without the chroot restrictions
    [clientuser@client ~]$ ssh user2@server
    Last login: Sat Jun 25 13:49:43 2016 from 192.168.122.1
    [user2@server ~]$