Wednesday, January 23, 2019

SFTP chroot

Issue

  • Restrict chroot users to sftp connections using ssh keys without affecting normal user's access.

Resolution

  • Configuring a SFTP server with chroot users and ssh keys

Server setup

  • Create the user on the server
    Raw
    [root@server ~]# useradd user1
[root@server ~]# passwd user1

Client setup

  • Copy the ssh key from the client to the server (The user does not have to exist on the client)
    Raw
    [clientuser@client ~]$ ssh-copy-id user1@server
  • Verify the ssh key works correctly from the client
    Raw
    [clientuser@client ~]$ ssh user1@server
[user1@server ~]$ exit
logout
Connection to server closed.
[clientuser@client ~]$
  • Verify that your sftp connection works without a password prompt
    Raw
    [clientuser@client ~]$ sftp user1@server
Connected to server
sftp> quit
[clientuser@client ~]$
Without making any changes, user1 has full access and can ssh or sftp and change to any directory. We'll now make the necessary changes
to chroot user1 and keep them jailed and locked down to a specified directory.

Server setup

  1. Create a new group to add all your jailed chroot users on the server
    Raw
    [root@server ~]# groupadd sftpusers
  2. Create a common directory for all of your jailed chroot users
    Raw
    [root@server ~]# mkdir /sftp
  3. Create a subdirectory for each individual user that you want to chroot
    Raw
    [root@server ~]# mkdir /sftp/user1
  4. Create the "home" directory for the user
    Raw
    [root@server ~]# mkdir /sftp/user1/home
  5. Modify the user to add them to the new group you created
    Raw
    [root@server ~]# usermod -aG sftpusers user1
  6. Change permission for the users chrooted "home" directory only. It's important to leave everything else with the default root permissions.
    Raw
    [root@server ~]# chown user1:sftpusers /sftp/user1/home/
  7. Modify the /etc/ssh/sshd_config file and add the following lines:
Raw
Subsystem   sftp    internal-sftp -d /home
Match Group sftpusers
ChrootDirectory /sftp/%u
  • Restart the sshd service
    • RHEL 7:
      Raw
      [root@server ~]# systemctl restart sshd
    • RHEL 6
      Raw
      [root@server ~]# service sshd restart

Client verification

  1. From the client, verify that everything is working now
    Raw
    [clientuser@client ~]$ ssh user1@server
Last login: Sat Jun 25 12:54:32 2016 from 192.168.122.1
Could not chdir to home directory /home/user1: No such file or directory
/bin/bash: No such file or directory
Connection to server closed.
[clientuser@client ~]$
    • The user can no longer connect via ssh. Let's try sftp
      Raw
      [clientuser@client ~]$ sftp user1@server
Connected to server.
sftp> pwd
Remote working directory: /home
sftp> cd /etc
Couldn't canonicalize: No such file or directory
sftp>
    • OK, the user can successfully connect via sftp and they are still restricted to their "home" directory
  2. Make sure a regular user can still log in via ssh without the chroot restrictions
    Raw
    [clientuser@client ~]$ ssh user2@server
Last login: Sat Jun 25 13:49:43 2016 from 192.168.122.1
[user2@server ~]$
Posted by at No comments:
Subscribe to: Posts (Atom)