SFTP on chroot SSH jail

Chroot SFTP

Using OpenSSH you can bind SSH, SFTP, SCP users to their home directory and restrict them to access other directories on the SSH server. In this article we will configure a secure sshd environment to support both secure ssh and SFTP on chroot SSH jail.


Topic

  • How to configure both chroot sftp and ssh ?
  • How to configure chroot sftp and ssh on CentOS|RHEL?
  • How to configure chroot sftp and ssh on Debian|Ubuntu?
  • How to get chroot sftp working in chroot ssh sandbox environment?
  • Chroot SFTP and SSH configuration on Linux


Solution


Setting up a secure or chroot ssh and sftp environment requires a sandox environment which has its own libraries and binaries. In this article, we’ll bind all ssh and sftp users who are part of chrootssh group into /data/chroot-ssh directory. This article has been tested on CentOS 7 and RHEL 7. You can refer to the steps given in this article to configure chroot ssh and sftp on other Linux distributions.

  1. In order to setup chroot SFTP on chroot SSH jail, the prerequisite is to setup chroot SSH environment – click here.

  1. After chroot ssh environment setup is completed, execute following set of commands to get sftp connection working in chroot ssh sandbox environment.

  1. Remove all contents from /data/chroot-ssh/lib64 directory.
rm -rf /data/chroot-ssh/lib64/*

  1. Mount /lib64 directory at /data/chroot-ssh/lib64 directory with mount bind option.
mount --bind /lib64 /data/chroot-ssh/lib64

# To the make the above mount permanent add the following configuration in /etc/fstab file. 
/lib64                /data/chroot-ssh/lib64         -            defaults,bind       0 0

  1. Create another directory named /data/chroot-ssh/usr/libexec/openssh in the chroot environment and then mount /usr/libexec/openssh directory at /data/chroot-ssh/usr/libexec/openssh directory with mount bind option.
mkdir -p /data/chroot-ssh/usr/libexec/openssh
mount --bind /usr/libexec/openssh /data/chroot-ssh/usr/libexec/openssh

# To the make the above mount permanent add the following configuration in /etc/fstab file. 
/usr/libexec/openssh         /data/chroot-ssh/usr/libexec/openssh         -       defaults,bind       0 0

  1. Create a passwd and group file in /data/chroot-ssh/etc directory and then copy the specific ssh user and group information to passwd and group file in /data/chroot-ssh/etc directory.
# sample chroot ssh user is testssh and group is chrootssh
cd /data/chroot-ssh/etc
grep chrootssh /etc/group >> group
grep testssh /etc/passwd >> passwd

  1. Now restart sshd service and then start testing sftp file transfer froma a client system.

Testing

Execute the following command for ssh login and sftp file transfer testing.

 sftp testssh@192.168.1.1
testssh@192.168.1.1's password: 
Connected to 192.168.1.1.
sftp> ls
file1.txt  

# SSH Login
$ ssh testssh@192.168.1.1
testssh@192.168.1.1's password: 
-bash-4.2$ pwd
/home/testssh
-bash-4.2$ ls
file1.txt 


If you have enjoyed the above article, refer to the following related articles.


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *