FTP is dead. Long live SFTP. An interesting alternative to secure ftp. How to jail SFTP users on a CentOS 6

This mini how-to addresses jailing of SFTP users (SFTP = SSH File Transfer Protocol), which means restrict user’s access to their home directory. It will also disable shell login, therefore additional configuration must be done to allow restricted shell access, all finers pointing towards http://olivier.sessink.nl/jailkit/

• Edit your /etc/ssh/sshd_config

• Find the line where /usr/libexec/openssh/sftp-server resides (path is distribution dependant)

• Replace it with internal-sftp. The whole line should look:
» Subsystem sftp internal-sftp

• Create a group “upload” or “sftpusers” – something intuitive. Every user that you want to grant upload access via SFTP must be a member of this group.

• In your sshd_config file add:

Match Group upload
   ChrootDirectory %h
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

NB: Further access can be enforced by playing with Match Group X or Match user Y.

• Check for errors by doing a fast
» service sshd reload

• Next, add a group under which we will gather all accounts that we want to allow upload access. I’m going to add a system user (no login) and a group with the same name.
» adduser --system --group upload for Debian
» adduser -M -s /bin/false upload for CentOS

• Issue the following commands
» chown -R root:root /home
» chmod -R 755 /home
» usermod -aG upload user1 ; usermod -aG upload user2 etc.
» chown -R user1:upload /home/user1/directory_you_wish_to_be_writeable
(tip: wildcard is supported, eg chown -R user1:upload /home/user1/*/www )

• At this point you need to service sshd restart and check for any errors.

• Final exam: simply login with FileZilla (SFTP!) or your client of choice and try to cd.

References
• http://serverfault.com/questions/591781/creating-sftp-users-and-jailing-to-chroot-on-centos-user-authentication-error
• http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes
Advertisements

Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s