Pages

Thursday, June 23, 2016

Restrict SFTP to Home Folder

I had created a chrooted sftp account on centos 6 , but faced an issue that the user's were not able put/delete as the sftp requires root:root ownership of chrooted directory. I fixed it by changing the chrooted direcotry to one step above of user's home and set user's home set to /. Below are the exact steps.
Prerequisites:  openssh version  >5.2
Notes :
  • chroot home directory is: /mnt/home
  • User home directory is 'junedm' relative to chroot home, i.e. /mnt/home
  • The chrooting is done based on Group , can be done basis on User ( see footer notes )
  • The chrooting group is sftponly , and all user's should have that as group ( secondary group will also work)
Steps :  
A] Add user , create chroot directory structure and fix permissions
  1. Create the chroot directory and make sure the permissions of each directory from / till chroot is 755 and owned by root:root
  • [root@ggvaapp07 ~]# mkdir -p /mnt/home
  • [root@tiber~]# ls -ld /mnt ; ls -ld /mnt/home
    drwxr-xr-x. 3 root root 4096 Jun 23 03:31 /mnt
    drwxr-xr-x 2 root root 4096 Jun 23 03:31 /mnt/home
  1. Add sftponly group.
  • [root@tiber ~]# groupadd sftponly
  1. Add user , with secondary group as sftponly
  • [root@tiber /]# useradd junedm -G sftponly
  • [root@tiber /]# id junedm
  • uid=503(junedm) gid=505(junedm) groups=505(junedm),504(sftponly)
  1. Change user’s home directory to /username ( this is very important otherwise you will not have put/delete permissions if you set that as /mnt/home/username) also set its shell to nologin so that he cannot ssh, only sftp
  • [root@tiber /]# usermod -d /junedm -s /sbin/nologin junedm
  • [root@tiber /]# cat /etc/passwd | grep juned
  • junedm:x:503:505::/junedm:/sbin/nologin
  1. Add users chrooted home directory and set the ownership is user:chrootgroup , also change permission to be 775
  • [root@tiber home]# chmod 775 /mnt/home/junedm ; chown junedm:sftponly /mnt/home/junedm -R
  • [root@tiber home]# ls -ld /mnt/home/junedm
  • drwxrwxr-x 2 junedm sftponly 4096 Jun 23 03:44 /mnt/home/junedm
  1. Create/change password for user
  • [root@ggvaapp07 /]# passwd junedm
  • Changing password for user junedm.
  • New password:
  • Retype new password:
  • passwd: all authentication tokens updated successfully.
B] Create sshd configuration for sftp setup. 
  1. Backup existing sshd_configuration
[root@tiber /]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  1. comment out the Subsystem line in the configuration line
[root@tiber /]# grep Subsystem /etc/ssh/sshd_config
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
  1. Add following block at the bottom of sshd_configuration file
###Added By Juned for chrooted sftp setup ##############
Subsystem sftp internal-sftp
Match Group sftponly
    ChrootDirectory        /mnt/home
    ForceCommand           internal-sftp -l VERBOSE
    GSSAPIAuthentication   no
    PasswordAuthentication yes
    PubkeyAuthentication   yes
     AllowAgentForwarding no
     AllowTcpForwarding no
     X11Forwarding no
#END
########################################################
  1. Restart sshd
[root@tiber /]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@tiber /]#
  1. check log's ( in case if you want to find whats happening )
[root@tiber /]# tail -f /var/log/secure
  1. Now connect from different machine using sftp and do get/put/delete operations,
[prod@james tmp]$ sftp junedm@tiber
Connecting to tiber...
junedm@tiber's password:
sftp> put test.txt
Uploading test.txt to /junedm/test.txt
test.txt                                                                                                                             100%    0     0.0KB/s   00:00
sftp> ls -l
-rw-r--r--    1 503      505             0 Jun 23 10:57 test.txt
sftp> rm test.txt
Removing /junedm/test.txt
sftp> cd /
sftp> ls -l
drwxrwxr-x    2 503      504          4096 Jun 23 10:57 junedm
  1. Confirm ssh is not working
[prod@ggvaapp03 tmp]$ ssh junedm@tiber
junedm@tiber's password:
This service allows sftp connections only.
Connection to tiber closed.

No comments:

Post a Comment