Issue
- Restrict chroot users to sftp connections using ssh keys without affecting normal user's access.
Resolution
- Configuring a SFTP server with chroot users and ssh keys
Server setup
- Create the user on the server
[root@server ~]# useradd user1 [root@server ~]# passwd user1
Client setup
- Copy the ssh key from the client to the server (The user does not have to exist on the client)
[clientuser@client ~]$ ssh-copy-id user1@server
- Verify the ssh key works correctly from the client
[clientuser@client ~]$ ssh user1@server [user1@server ~]$ exit logout Connection to server closed. [clientuser@client ~]$
- Verify that your sftp connection works without a password prompt
[clientuser@client ~]$ sftp user1@server Connected to server sftp> quit [clientuser@client ~]$
Without making any changes, user1 has full access and can ssh or sftp and change to any directory. We'll now make the necessary changes
to chroot user1 and keep them jailed and locked down to a specified directory.
to chroot user1 and keep them jailed and locked down to a specified directory.
Server setup
- Create a new group to add all your jailed chroot users on the server
[root@server ~]# groupadd sftpusers
- Create a common directory for all of your jailed chroot users
[root@server ~]# mkdir /sftp
- Create a subdirectory for each individual user that you want to chroot
[root@server ~]# mkdir /sftp/user1
- Create the "home" directory for the user
[root@server ~]# mkdir /sftp/user1/home
- Modify the user to add them to the new group you created
[root@server ~]# usermod -aG sftpusers user1
- Change permission for the users chrooted "home" directory only. It's important to leave everything else with the default root permissions.
[root@server ~]# chown user1:sftpusers /sftp/user1/home/
- Modify the /etc/ssh/sshd_config file and add the following lines:
Subsystem sftp internal-sftp -d /home
Match Group sftpusers
ChrootDirectory /sftp/%u
- Restart the sshd service
- RHEL 7:
[root@server ~]# systemctl restart sshd
- RHEL 6
[root@server ~]# service sshd restart
Client verification
- From the client, verify that everything is working now
[clientuser@client ~]$ ssh user1@server Last login: Sat Jun 25 12:54:32 2016 from 192.168.122.1 Could not chdir to home directory /home/user1: No such file or directory /bin/bash: No such file or directory Connection to server closed. [clientuser@client ~]$
- The user can no longer connect via ssh. Let's try sftp
[clientuser@client ~]$ sftp user1@server Connected to server. sftp> pwd Remote working directory: /home sftp> cd /etc Couldn't canonicalize: No such file or directory sftp>
- OK, the user can successfully connect via sftp and they are still restricted to their "home" directory
- Make sure a regular user can still log in via ssh without the chroot restrictions
[clientuser@client ~]$ ssh user2@server Last login: Sat Jun 25 13:49:43 2016 from 192.168.122.1 [user2@server ~]$