How to setup passwordless chroot SFTP on Linux

SFTP

This article describes a step by step procedure to set up password-less chroot SFTP login between a source and destination system.


Topic

  • How To Setup SFTP chroot Passwordless Login on Linux|CentOS|RHEL|Ubutu?
  • Passwordless chroot SFTP setup on Linux

apt

  • Linux
  • Centos
  • RHEL
  • Ubuntu
  • Debian
  • Suse
  • Arch Linux
  • Alpine Linux

Solution


LAB Details

Following are the details of SSH client and SSH server system to be used at many placed in this article.

Source/client system: 192.168.0.5
Destination/Server system: 192.168.0.6
Client side user: testclient
Server side user: sftptest


Prerequisites

Client side configuration on 192.168.0.5 system

How SSH/SFTP password less authentication works?
  • In order to setup passwordless authentication, set up a RSA or DSA key pair. This generates two keys 1) Private key and 2) Public key.
  • Private key is stored on the client system and the publc key is stored on the destination or server system.
  • Pass the location of private key when you login to the remote system.
  • Remote SSH server will apply a hash function to validate auhenticity of the public key stored in its databse by using the supplied private key by the client system.
  • If validation is successful, passwordless authentication succeeds.

Configuration
  • Login to the client system as testclient user as per the LAB details or the user which needs passwordless login setup and execute the following command to generate RSA key pair. [1]

$ ssh-keygen -t rsa -C "testclient ssh client"  ## With -C we add a comment to the key

=> Enter the path of the key if needed and chose default
     Generating public/private rsa key pair.
     Enter file in which to save the key (/home/testclient/.ssh/id_rsa): 
     Created directory '/home/testclient/.ssh'.

=> If you need a passphrase to secure the private key enter the passphrase or just give enter to leave the passphrase empty. 
     Enter passphrase (empty for no passphrase):
     Enter same passphrase again: 

=>  Now RSA public and private key pair has been created as below. 
      Your identification has been saved in /home/testclient/.ssh/id_rsa.   <<<<< Private key
      Your public key has been saved in /home/testclient/.ssh/id_rsa.pub.   <<<<< Public Key

    The key fingerprint is:
    SHA256:Vlg9zEPVIPg5PRvkkS+uI2kQoCZ/KLtXy7wD2Dn9sxo testclient ssh client
    The key's randomart image is:
    +---[RSA 2048]----+
    |          .*o.o+ |
    |      .  o. *.+ .|
    |     . .. .. B o |
    |  . o   ..  + * .|
    |   * +  S.   o = |
    |  o B +..     o  |
    |   o BEo . . .   |
    |  . . =.o + o    |
    |  .o  o+.+ . .   |
    +----[SHA256]-----+

  • Upon successfull execution of the above command, we’ll see following two files in /home/testclient/.ssh directory. [2]
    /home/testclient/.ssh/id_rsa <<<< Private
    /home/testclient/.ssh/id_rsa.pub <<<<< Public Key


Copy the public key to remote host

Remote sftp config [1]

  • If you are using the following SFTP chroot configuration for specific group, copy the key manually to the destination system with the given steps.
$ cat /etc/passwd
sftptest:x:1000:1001::/incoming:/sbin/nologin

$ cat /etc/ssh/sshd_config
Match Group chrootsftp
        ChrootDirectory /data/chroot-sftp/%u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no
  • Create a directory called /incoming/.ssh and assisgn it appropriate ownership. In this common directory we’ll store public key of all ssh accounts.
mkdir -p /incoming/.ssh
chown root:root -R /incoming
touch  /incoming/.ssh/authorized_keys
chmod 644 /incoming/.ssh/authorized_keys
  • Copy the public key /home/testclient/.ssh/id_rsa.pub file to the remote system’s /incoming/.ssh/authorized_keys file.

Remote sftp config [2]

  • If you are using the following SFTP chroot configuration for specific user, copy the key manually to the destination system with the given steps.
$ cat /etc/passwd
sftp1:x:1001:1002::/home/sftp1:/sbin/nologin

$ cat /etc/ssh/sshd_config
### Chroot SFTP Configuration for specific user
Match User sftp1
        ChrootDirectory /home/sftp1
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no
  • Create a directory called /home/sftp1/.ssh and assisgn it appropriate ownership. In this common directory we’ll store public key of all ssh accounts.
mkdir -p /home/sftp1/.ssh
chown sftp1:root  /home/sftp1/.ssh
touch  /home/sftp1/.ssh/authorized_keys
chown sftp1 /home/sftp1/.ssh/authorized_keys
chmod 644 /home/sftp1/.ssh/authorized_keys
  • Copy the public key /home/testclient/.ssh/id_rsa.pub file to the remote system’s /home/sftp1/.ssh/authorized_keys file.

Remote sftp config [3]

  • If you are using the following SFTP chroot configuration for specific group, copy the key manually to the destination system with the given steps.
$ cat /etc/passwd
sftp1:x:1001:1002::/home/sftp1:/sbin/nologin

$ cat /etc/ssh/sshd_config
### Chroot SFTP Configuration for specific group
Match Group chrootsftp
        ChrootDirectory %u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no

  • Create a directory called /home/$user/.ssh and assisgn it appropriate ownership. Replace $user with the actual user name.
mkdir -p /home/$user/.ssh
chown $user:root  /home/$user/.ssh
touch  /home/$user/.ssh/authorized_keys
chown $user /home/$user/.ssh/authorized_keys
chmod 644 /home/$user/.ssh/authorized_keys
  • Copy the public key /home/testclient/.ssh/id_rsa.pub file to the remote system’s /home/$user/.ssh/authorized_keys file.

  • Now login to the remote SFTP server using passwordless login.

$ sftp user@server_ip_or_name

If you don’t have login to the remote SFTP server, after the RSA/DSA key generation, provide the public key to the remote server administrator. Remote admin will copy the public key content to remote user’s authorized_keys file to make passwordless login successful.


Related articles

If you have enjoyed the above article, refer to following related articles:

You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *