Chroot SFTP in Linux
Sometimes we need to transfer or access some files on a server through SFTP. In these cases we need to restrict the users so that they can access the files in their home directories only, other directories or files of the server should not be accessed by these users. It can be achieved through chroot SFTP, to setup chroot SFTP in Linux follows the steps given below:
Create a New Group for SFTP Users
Create a new group as sftpusers. Users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
# groupadd sftpusers
Create SFTP Users (or Modify Existing User)
Let us say you want to create a user sftp_user1 who should be allowed only to perform SFTP in a chroot environment and should not be allowed to perform SSH.
# useradd -g sftpusers -d /incoming -s /sbin/nologin sftp_user1 # passwd sftp_user1
The following command creates sftp_user1, assigns this user to sftpusers group, make /incoming as the home directory, and set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
Setup sftp-server Subsystem in sshd_config file
Modify the /etc/ssh/sshd_config file using vi editor and comment out the following line:
# override default of no subsystems #Subsystem sftp /usr/libexec/openssh/sftp-server
Next, add the following line to the /etc/ssh/sshd_config file
# override default of no subsystems #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp
Specify Chroot Directory for a Group
You want to put only certain users (i.e users who belong to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
# Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
Change above to
# Example of overriding settings on a per-user basis Match Group sftpusers # Force the connection to use SFTP and chroot to the required directory. ChrootDirectory /home/sftp/%u ForceCommand internal-sftp # Disable tunneling, authentication agent, TCP and X11 forwarding. AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
In the above:
- Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
- ChrootDirectory /home/sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for sftp_user1, this will be /home/sftp/sftp_user1.
- ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that is mentioned in the ~/.ssh/rc file.
Setup Appropriate Permission for SFTP users
For chroot to work properly, you need to make sure appropriate permissions are set up properly on the directory you just created above.
Set the ownership to the user, and group to the sftpusers group as shown below.
# chown sftp_user1:sftpusers /home/sftp/sftp_user1/incoming
Restart sshd and Test Chroot SFTP
Restart the sshd service using the below command
# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] #
Test chroot sftp environment. As you see below, when sftp_user1 does sftp, and does “cd /”, they’ll only see the incoming directory.
# sftp sftp_user1@dbappweb.com sftp_user1@dbappweb.com's password: Connected to dbappweb.com. sftp> pwd Remote working directory: /incoming sftp> cd / sftp> ls incoming sftp> cd /etc Couldn't canonicalize: No such file or directory sftp>
As shown above, sftp_user1 is able to access only his home directory, other directories and files are not accessible to it.
Related Posts
Last Updated: May 18, 2020
No Responses