Restrict SFTP to Home Folder
Restrict SFTP to Home Folder
I had created a chrooted sftp account on centos 6 , but faced an issue that the user’s were not able put/delete as the sftp requires root:root ownership of chrooted directory. I fixed it by changing the chrooted direcotry to one step above of user’s home and set user’s home set to /.
Below are the exact steps.
Prerequisites: openssh version 5.2
Notes :
chroot home directory is: /mnt/home User home directory is ‘junedm’ relative to chroot home, i.e. /mnt/home The chrooting is done based on Group The chrooting group is sftponly , and all user’s should have that as group ( secondary group will also work)
Steps :
A] Add user , create chroot directory structure and fix permissions
Create the chroot directory and make sure the permissions of each directory from / till chroot is 755 and owned by root:root
1
2
3
4
[root@ggvaapp07 ~]# mkdir -p /mnt/home
[root@tiber~]# ls -ld /mnt ; ls -ld /mnt/home<br />
drwxr-xr-x. 3 root root 4096 Jun 23 03:31 /mnt<br />
drwxr-xr-x 2 root root 4096 Jun 23 03:31 /mnt/home
Add sftponly group.
1
[root@tiber ~]# groupadd sftponly
Add user , with secondary group as sftponly
1
2
3
[root@tiber /]# useradd junedm -G sftponly
[root@tiber /]# id junedm
uid=503(junedm) gid=505(junedm) groups=505(junedm),504(sftponly)
Change user’s home directory to /username ( this is very important otherwise you will not have put/delete permissions if you set that as /mnt/home/username) also set its shell to nologin so that he cannot ssh, only sftp
1
2
3
[root@tiber /]# usermod -d /junedm -s /sbin/nologin junedm
[root@tiber /]# cat /etc/passwd | grep juned
junedm:x:503:505::/junedm:/sbin/nologin
Add users chrooted home directory and set the ownership is user:chrootgroup , also change permission to be 775
1
2
3
[root@tiber home]# chmod 775 /mnt/home/junedm ; chown junedm:sftponly /mnt/home/junedm -R
[root@tiber home]# ls -ld /mnt/home/junedm
drwxrwxr-x 2 junedm sftponly 4096 Jun 23 03:44 /mnt/home/junedm
Create/change password for user
1
2
3
4
5
[root@ggvaapp07 /]# passwd junedm
Changing password for user junedm.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
B] Create sshd configuration for sftp setup.
Backup existing sshd_configuration
1
[root@tiber /]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
comment out the Subsystem line in the configuration line
1
2
[root@tiber /]# grep Subsystem /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Add following block at the bottom of sshd_configuration file
1
2
3
4
5
6
7
8
9
10
11
12
13
###Added By Juned for chrooted sftp setup ##############
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /mnt/home
ForceCommand internal-sftp -l VERBOSE
GSSAPIAuthentication no
PasswordAuthentication yes
PubkeyAuthentication yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
#END
########################################################
Restart sshd
1
2
3
4
[root@tiber /]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@tiber /]#
check log’s ( in case if you want to find whats happening )
1
[root@tiber /]# tail -f /var/log/secure
Now connect from different machine using sftp and do get/put/delete operations,
1
2
3
4
5
6
7
8
9
10
11
12
13
[prod@james tmp]$ sftp junedm@tiber
Connecting to tiber...
junedm@tiber's password:
sftp> put test.txt
Uploading test.txt to /junedm/test.txt
test.txt 100% 0 0.0KB/s 00:00
sftp> ls -l
-rw-r--r-- 1 503 505 0 Jun 23 10:57 test.txt
sftp> rm test.txt
Removing /junedm/test.txt
sftp> cd /
sftp> ls -l
drwxrwxr-x 2 503 504 4096 Jun 23 10:57 junedm
Confirm ssh is not working
1
2
3
4
[prod@ggvaapp03 tmp]$ ssh junedm@tiber
junedm@tiber's password:
This service allows sftp connections only.
Connection to tiber closed.