SFTP chroot configuration on Linux

SFTP

SFTP provides secure file transmission method however a SFTP logged in user can browse other sub-directories other than the user’s designated home directory. This article provides a step by step procedure to secure a SFTP server by applying certain configurations on the server to bind all chroot logged in users to their home directory and prevent them from accessing other directories and deny them ssh login.

Topic

  • How to Setup Chroot SFTP in Linux (Allow Only SFTP not SSH)
  • Setup a secure TFTP server
  • How to set up sftp chroot for specific users
  • How to setup a secure SFTP server to only allow SFTP connection and prevent SSH login?
  • Chroot Jail configuration with SFTP on Linux

apt

  • Linux
  • Centos
  • RHEL
  • Ubuntu
  • Debian
  • Suse
  • Arch Linux
  • Alpine Linux

Solution


By default, SFTP module on openssh program allows SFTP connection to all SSH users. All these users can browse any directory on the server since non-existence of chroot enviornment.

With openssh, we can enforce chroot jail configuration for specific users and group and also we can prevent these specific group of users from ssh remote login. Refer to the following section for complete configuration.

Chroot Configuration for specific group

In the following configuration chroot SFTP connection is enforced to chrootsftp group members. All users are jailed to their home directory inside /data/chroot-sftp/$user. SSH login is disallowed to chrootsftp group members.

  1. Create chroot environment base directory.
mkdir -p /data/chroot-sftp

  1. Create a group. Eg. chrootsftp
groupadd chrootsftp

  1. Create users and make them primary member of chrootsftp group. The following command creates sftptest user and makes it primamy member of chrootsftp group.
# This prevents users from ssh login. 
useradd -g chrootsftp sftptest -d /incoming -M -s /sbin/nologin

# Set user password
passwd sftptest

Note: In the above command, -d /incoming, enforces the sftp user to switch to incoming directory after login. Execute the command "$ man useradd" for all options.

  1. Setup chroot home directory for sftp users. Here we’ll setup SFTP home directory for sftptest user account.
mkdir -p /data/chroot-sftp/sftptest/incoming

  1. Setup permission and ownership for sftptest user. Make a note of the following key rules:
    • SFTP user’s home directory must have user ownership set to root and group ownership set to chroot group. In this chroot group is chrootsftp.
    • Permission of SFTP user’s home directory must be 755.
    • Create a incoming directory in every sftp user’s home directory and assign it specific SFTP account user ownership. In our case, the sftp account is sftptest.
    • After sftp login, the user will land into this incoming directory and it has write access to this incoming directory.
    • Other than this incoming directory sftp account doesn’t have write access to any other directories in its home directory.
    • If you set sftp account(sftptest) user ownership to sftp chroot directory, that will break sftp conection.
chown root:chrootsftp /data/chroot-sftp/sftptest
chmod 755 /data/chroot-sftp/sftptest
chown sftptest:chrootsftp /data/chroot-sftp/sftptest/incoming
chmod 700 /data/chroot-sftp/sftptest/incoming

  1. Permission and ownership must look as below after executing the above commands.
# ls -ld /data/chroot-sftp/sftptest
drwxr-xr-x 3 root chrootsftp 22 Nov 26 11:42 /data/chroot-sftp/sftptest

# ls -ld /data/chroot-sftp/sftptest/incoming 
drwx------ 2 sftptest chrootsftp 6 Nov 26 11:42 /data/chroot-sftp/sftptest/incoming

  1. Append the following chroot configuration to /etc/ssh/sshd_config file.
        Match Group chrootsftp
        ChrootDirectory /data/chroot-sftp/%u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no

Complete configuration file /etc/ssh/sshd_config looks like below.

$ grep -v "^#" /etc/ssh/sshd_config|grep -v "^$"

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem   sftp    /usr/libexec/openssh/sftp-server

Match Group chrootsftp
       ChrootDirectory /data/chroot-sftp/%u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no

  1. Now restart sshd service then start testing.
# systemctl restart sshd

Or

# service sshd restart


Testing

  • Test SFTP upload and download
 $ sftp sftptest@192.168.1.10
sftptest@192.168.1.10's password: 
Connected to 192.168.1.10.
sftp> ls
sftp> pwd
Remote working directory: /incoming
sftp> mkdir test
sftp> ls
test  
sftp> put test.txt
Uploading test.txt to /incoming/test.txt
test.txt                                      100% 1082     2.8MB/s   00:00    
sftp> get test.txt
Fetching /incoming/test.txt to test.txt
/incoming/test.txt                            100% 1082     1.5MB/s   00:00    
sftp> rm test.txt
Removing /incoming/test.txt
sftp> ls
test  

  • Chroot SFTP test
sftp> cd /etc
Couldn't stat remote file: No such file or directory  <<<<<
sftp> ls /tmp
Can't ls: "/tmp" not found  <<<<
sftp> pwd
Remote working directory: /incoming  
sftp> cd /
sftp> ls
incoming  
sftp> pwd
Remote working directory: /
sftp> 
sftp> cd incoming/
sftp> 
sftp> pwd
Remote working directory: /incoming
sftp> cd /var
Couldn't stat remote file: No such file or directory  <<<<<

  • SSH login test
$ ssh sftptest@192.168.1.10
sftptest@192.168.1.10's password: 
This service allows sftp connections only.  <<<<<<
Connection to 192.168.1.10 closed


Chroot Configuration for specific user

  • If there is a need to configure chroot sftp for a specific user only and bind the user to /home/$user directory, use the following sample configuration.

  • The following configuration uses sftp1 test account for demonstration.

# create user
useradd  sftp1 -s /sbin/nologin

# setup home directory
mkdir -p /home/sftp1/incoming

# Setup permission and ownership
chown root /home/sftp1
chmod 755 /home/sftp1
chown sftp1 /home/sftp1/incoming
chmod 700 /home/sftp1/incoming

  • Append the following configuration in /etc/ssh/sshd_config file.
### Chroot SFTP Configuration for specific user
Match User sftp1
        ChrootDirectory /home/sftp1
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no

  • Restart sshd service and start testing.

  • After login switch to incoming directory and then transfer file.


Additional or optional configuration

  • If there is a need to bind all sftp users to their designated home directory, apply the following configuration.
  • With this configuration you won’t find any difficulty to set passwordless sftp login
  • Setup home directory as usual in /home/$user directory.
  • Set appropriate permission and ownership as per the above given example.

Create user account

groupadd chrootsftp
useradd -g chrootsftp sftptest -m -s /sbin/nologin
passwd sftptest

Append the following configuration in /etc/ssh/sshd_config file.

### Chroot SFTP Configuration for specific group
Match Group chrootsftp
        ChrootDirectory %u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no

Restart sshd service and start testing.


Related articles

If you have enjoyed the above article, refer to following related articles:

You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

1 Comment

  1. Pingback: Sham

Leave a Reply

Your email address will not be published. Required fields are marked *