User Tools

Site Tools

Trace: sftp_centos
sftp_centos
Quick Overview

This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website.
For example: sftpluke needs to upload files to /var/www/vhost/lukeslinuxlessons/. You can chroot sftpluke to /home/chroot/sftpluke/ and then bind-mount /var/www/vhost/lukeslinuxlessons/ to their home directory. This means they can upload to the correct website directory without needing direct access to it.

Options

There are 2 main options for bind mounting:
> Option 1 - Chroot a user to their home directory. Note - user will NOT be able to write to it, they will need to cd into the correct directory.
> Option 2 - Users are chrooted to a directory and then moved into a writeable directory - Note - this is not a suitable option for a lot of systems, its based off of ssh configuration directive: ChrootDirectory /home/chroot. This means every chrooted user will be chrooted here and doesnt allow for as much flexibility.

sFTP Only Group

groupadd sftponly

Creating a chroot Directory

Note: This part may not be needed. You are able to use the user home directory instead of creating a new one (example: /home/luke/ or /home/luke_sftp)
Now we need to create a home directory which we will be chrooting our sFTP user to. In this directory you are able to have more directories, each one relating to a different website etc. Standard proceedure is to chroot a user to their home directory however you are able to use option 2 if you wish for a more 'formal' chroot.

Option 1

mkdir -p /home/lukes-jail/
Now we need to create a mount point - this mount point will be where we mount the files located else where on the device to, so that the jailed user has access to them: 
/home/lukes-jail/website1/

You are able to have many website and mount points in a single jailed users home directory (eg /home/lukes-jail/website1/, /home/lukes-jail/website2/ /home/lukes-jail/website3/ etc)

Option 2

If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g 

mkdir -p /home/chroot/sams-jail/
An example of multiple sftp users would be: 
/home/chroot/luke
/home/chroot/joe
/home/chroot/michal
All of these users home directory (luke, joe, michal) would be writable

Adding a chroot user

We can now add a user with a specific home directory and NO shell login. This means they will NOT be able to SSH into the server, only sFTP. We will also add the user to the sftponly group.

Option 1

(for those with a standard /home/user directory jail) 

useradd -s /sbin/nologin -G sftponly lukes-jail

Option 2

useradd -d /home/chroot/lukes-jail/ -s /sbin/nologin -G sftponly lukes-jail
Now change the password with 
passwd lukes-jail


Configuring sshd_config file

We need to make a few changes to /etc/ssh/sshd_config file.

You will need to locate and comment-out the following line: 

Subsystem sftp /usr/libexec/openssh/sftp-server
Once you have done this you will need to add the following lines to the bottom of the file:

Option 1

Subsystem     sftp   internal-sftp
         Match Group sftponly
         ChrootDirectory %h
         X11Forwarding no
         AllowTCPForwarding no
         ForceCommand internal-sftp

Option 2

Subsystem     sftp   internal-sftp
         Match Group sftponly
         ChrootDirectory /home/chroot/
         X11Forwarding no
         AllowTCPForwarding no
         ForceCommand internal-sftp

Now you need to restart sshd. You can either run sshd -t first (which should return NO message) or you can be brave and just perform service sshd restart


Permissions

Now we need to make sure that the home directory for the lukeisjailed user has the correct permissions.
Before performing the following it is important to note, the chroot directory needs to be owned by root:root, it must NOT be owned by anyone else. Once it is owned by root:root you need to make sure it has 755 permissions. It is important to note that the bit we are interested in is the 'other' permissions. It must have executable and read permissions for other users as this is the category the user will be classed in.
You should perform the following:

Option 1

chmod 711 /home/

chmod 755 /home/lukes-jail/

chown root:root /home/lukes-jail/
You will then need to set the permissions of the mount directory (e.g /home/lukes-jail/website1/) to user:group with 
chown lukes-jail:sftponly /home/lukes-jail/website1/

Option 2

chmod 755 /home/chroot

chown root:root /home/chroot/

Mounting

We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab:

Option 1

/var/www/vhost/lukeslinuxlessons/ /home/lukes-jail/website1/ none bind 0 0

Option 2


/var/www/vhost/lukeslinuxlessons/ /home/chroot/lukes-jail/website1/ none bind 0 0
Now we can mount a specific directory to the users chrooted home directory.
Best practice is to use the “mount” command (with a specific flag) to mount the directory using the entry we have just made.
This is to make sure there are no errors in the entry into /etc/fstab. If there are errors, we can resolve them before the server is rebooted however if we dont fix them before server reboot it can cause SEVERE issue and prevent the server from booting!! 
mount /home/lukes-jail/website1/
This command mounts the directory stated in /etc/fstab to the directory we have just specified (/home/lukes-jail/website1/)

And your done!


Testing sFTP chroot

You can test the chroot a couple of ways.

Try logging in with the user via ssh, this should fail as we have disabled ssh login. 

ssh lukes-jail@serverIP
Now we can test sftp via command line with 
sftp lukes-jail@serverIP
This should prompt you for a password and then successfully log in. You should see: 
sftp>
Now you can test to see if it has been configured correctly by typing the following: 
sftp> pwd
Remote working directory: /
sftp> ls
website1
sftp> cd website1
sftp> ls
file1 file2 file3
Create a test file on your localhost, then sftp to the server: 
put sftptest.txt

Specifying a port

2 Options: 

sftp -oPort=3476 user@host

sftp -P <port> user@host

Troubleshooting

This section will be updated regularly with issues and fixes. 

sftp user@ipaddress -v
The command above should tell you if the issue is a password for the user is correct or not

sftp_centos.txt · Last modified: 2024/05/23 07:26 by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki