This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website.
For example: sftpluke needs to upload files to /var/www/vhost/lukeslinuxlessons/. You can chroot sftpluke to /home/chroot/sftpluke/ and then bind-mount /var/www/vhost/lukeslinuxlessons/ to their home directory. This means they can upload to the correct website directory without needing direct access to it.
There are 2 main options for bind mounting:
> Option 1 - Chroot a user to their home directory. Note - user will NOT be able to write to it, they will need to cd into the correct directory.
> Option 2 - Users are chrooted to a directory and then moved into a writeable directory - Note - this is not a suitable option for a lot of systems, its based off of ssh configuration directive: ChrootDirectory /home/chroot. This means every chrooted user will be chrooted here and doesnt allow for as much flexibility.
groupadd sftponly
Note: This part may not be needed. You are able to use the user home directory instead of creating a new one (example: /home/luke/ or /home/luke_sftp)
Now we need to create a home directory which we will be chrooting our sFTP user to. In this directory you are able to have more directories, each one relating to a different website etc. Standard proceedure is to chroot a user to their home directory however you are able to use option 2 if you wish for a more 'formal' chroot.
mkdir -p /home/lukes-jail/Now we need to create a mount point - this mount point will be where we mount the files located else where on the device to, so that the jailed user has access to them:
/home/lukes-jail/website1/
If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g
mkdir -p /home/chroot/sams-jail/An example of multiple sftp users would be:
/home/chroot/luke /home/chroot/joe /home/chroot/michalAll of these users home directory (luke, joe, michal) would be writable
We can now add a user with a specific home directory and NO shell login. This means they will NOT be able to SSH into the server, only sFTP. We will also add the user to the sftponly group.
(for those with a standard /home/user directory jail)
useradd -s /sbin/nologin -G sftponly lukes-jail
useradd -d /home/chroot/lukes-jail/ -s /sbin/nologin -G sftponly lukes-jailNow change the password with
passwd lukes-jail
We need to make a few changes to /etc/ssh/sshd_config file.
You will need to locate and comment-out the following line:
Subsystem sftp /usr/libexec/openssh/sftp-serverOnce you have done this you will need to add the following lines to the bottom of the file:
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory %h X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /home/chroot/ X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp
Now we need to make sure that the home directory for the lukeisjailed user has the correct permissions.
Before performing the following it is important to note, the chroot directory needs to be owned by root:root, it must NOT be owned by anyone else. Once it is owned by root:root you need to make sure it has 755 permissions. It is important to note that the bit we are interested in is the 'other' permissions. It must have executable and read permissions for other users as this is the category the user will be classed in.
You should perform the following:
chmod 711 /home/ chmod 755 /home/lukes-jail/ chown root:root /home/lukes-jail/You will then need to set the permissions of the mount directory (e.g /home/lukes-jail/website1/) to user:group with
chown lukes-jail:sftponly /home/lukes-jail/website1/
chmod 755 /home/chroot chown root:root /home/chroot/
We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab:
/var/www/vhost/lukeslinuxlessons/ /home/lukes-jail/website1/ none bind 0 0
/var/www/vhost/lukeslinuxlessons/ /home/chroot/lukes-jail/website1/ none bind 0 0Now we can mount a specific directory to the users chrooted home directory.
mount /home/lukes-jail/website1/This command mounts the directory stated in /etc/fstab to the directory we have just specified (/home/lukes-jail/website1/)
And your done!
You can test the chroot a couple of ways.
Try logging in with the user via ssh, this should fail as we have disabled ssh login.
ssh lukes-jail@serverIPNow we can test sftp via command line with
sftp lukes-jail@serverIPThis should prompt you for a password and then successfully log in. You should see:
sftp>Now you can test to see if it has been configured correctly by typing the following:
sftp> pwd Remote working directory: / sftp> ls website1 sftp> cd website1 sftp> ls file1 file2 file3Create a test file on your localhost, then sftp to the server:
put sftptest.txt
2 Options:
sftp -oPort=3476 user@host
sftp -P <port> user@host
This section will be updated regularly with issues and fixes.
sftp user@ipaddress -vThe command above should tell you if the issue is a password for the user is correct or not