SFTP – Connections and File Permissions – Part 3

In the last couple of posts SFTP – Connections and File Permissions – Part 1 and SFTP – Connections and File Permissions – Part 2 we configured sftp and looked at the effect of umask when transferring files using sftp. In this post we will configure restricting users to their home directories using chroot..

Before we configure chroot – jail users..lets take a look at whats wrong with non-chrooted environment. As you can see below user can roam around freely and also able to download configurations.

SFTP_Client8.JPG

In order to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the “Match” keyword) in the sshd_config file.

This example will use a “Match” block based on group membership, but other criteria may used in a “Match” block to determine which users are restricted to the ChrootDirectory (see “man sshd_config” for more details).

NOTE :- The ownership of the root directory should be root:root and anything else will block chroot sftp access.

If its not root:root, then the below command should be executed for chroot-sftp operation :-

# chown root:root /
  1. Edit sshd_config
    • Comment the original Subsystem entry for sftp and replace it with a new entry:
    #Subsystem      sftp    /usr/libexec/openssh/sftp-server
    Subsystem       sftp    internal-sftp
    
    • Add the following to the end of the /etc/ssh/sshd_config file.
            Match Group sftponly
                    ChrootDirectory /chroots/%u
                    AllowTcpForwarding no
                    ForceCommand internal-sftp
                    X11Forwarding no
    
  2. Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)
    # groupadd sftponly
    

    NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.

  3. Configure or create the accounts of any sftp-only users.  NOTE: the specified home directory is relative to the ChrootDirectory.
    # usermod  -g sftponly -s /bin/false user  
    

    or

    #useradd -d /myhome -M -g sftponly -s /bin/false user
    

    In case you newly create the “user”, set its pasword

    # passwd user
  4. Create the user’s chroot environment and configure directory permissions.  Ensure that this entire path is owned by root and only writable by root.
    # mkdir -p /chroots/user ; chmod -R 755 /chroots/user
    

    NOTE: In this case, the chroot directory is set to /chroots/%u (%u is replaced by the username of that user) so that each user will have an individual chroot environment.

    Users will not be able to see other directories located beneath the root of their chrooted environment.

  5. Create the user’s actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).
    # mkdir /chroots/user/myhome ; chown user:sftponly /chroots/user/myhome
    

    NOTE: The permission of the user chroot directory that is, /chroots/user/myhome should be 0755.

  6. Restart sshd.Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

Lets apply the above configuration to our test2 user on Client..

Step 1: Update sshd_config as below and restart the sshd service.

SFTP_Client9.JPG

Step 2: Lets look at “test2” user we have got.. it still got the public key in authorized_keys.

SFTP_Client11.JPG

Step 3: Create “chroot” directory structure.. %u refers to user so in this case “/sftp/test2” both directories should owned by root:root.

Step 4: The test2 user has got home directory as “/home/test2” which should be relative to “/sftp/test2” when we do SFTP. So it no longer goes to “/home/test2” but it goes to “/sftp/test2/home/test2”..

SFTP_Client10.JPG

Step 5: Lets SFTP now and try to roam around.. As the public key is still present sftp without password is allowed but after SFTP login is successful it is “chrooted” so restricted now.

SFTP_Client14

Step 6: “pwd” still showing /home/test2 but ultimately it is “/sftp/test2/home/test2” on Client server. Lets copy a file and check..

SFTP_Client12.JPG

Step6: Check on the Client server..

SFTP_Client13

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s