Configurations Sftp server chroot (sftp chroot)



  Note:-
·         need to open port or disabled iptables.
·         Selinux need to disabled 


1. Create a New Group
Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
# groupadd sftpusers
2. Create Users (or Modify Existing User)
Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.
The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
# passwd guestuser
Verify that the user got created properly.
# grep guestuser /etc/passwd
guestuser:x:500:500::/incoming:/sbin/nologin
If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:
# usermod -g sftpusers -d /incoming -s /sbin/nologin john
On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.
3. Setup sftp-server Subsystem in sshd_config
You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).
Modify the the /etc/ssh/sshd_config file and comment out the following line:
#Subsystem       sftp    /usr/libexec/openssh/sftp-server
Next, add the following line to the /etc/ssh/sshd_config file
Subsystem       sftp    internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp
4. Specify Chroot Directory for a Group
You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
# tail /etc/ssh/sshd_config
Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp
In the above:
  • Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
  • ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
  • ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
5. Create sftp Home Directory
Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).
# mkdir /sftp
Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.
# mkdir /sftp/guestuser
So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.
So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.
# mkdir /sftp/guestuser/incoming
6. Setup Appropriate Permission
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.
Set the owenership to the user, and group to the sftpusers group as shown below.
# chown guestuser:sftpusers /sftp/guestuser/incoming
The permission will look like the following for the incoming directory.
# ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
The permission will look like the following for the /sftp/guestuser directory
# ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

# ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
7. Restart sshd and Test Chroot SFTP
Restart sshd:
# service sshd restart
Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.
# sftp guestuser@thegeekstuff.com
guestuser@thegeekstuff's password:

sftp> pwd
Remote working directory: /incoming

sftp> cd /
sftp> ls
incoming
When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.




Comments

Post a Comment

Popular posts from this blog

Pnp4Nagios installation and configuration on nagios4

Image
PNP4Nagios // we assume you have already install nagios core  Part 1.  installation of pnp4nagios We start with the simplest. We download the latest available version of pnp4nagios, in our case 0.6.24, unpack, compile and activate the service. Prerequisite software required     - rrdtool     - librrds-perl     - g++     - php5-cli     - php5-gd     - libapache2-mod-php5 tar zxvf pnp4nagios-0.6.24.tar.gz cd pnp4nagios-0.6.24 ./configure make all make fullinstall To check pnp4nagios   http://localhost/pnp4nagios/ We must remove the following file if we have the pnp4nagios: rm -rf /usr/local/pnp4nagios/share/install.php Part 2.  Edit nagios.cfg This is the most complicated part, we need to edit the file and add the following lines indicated. We begin with the main configuration file for Nagios, where besides adding the lines  look for the "process_performance_data" parameter and will equal 1. vi /usr/local/
Read more

Kubernetes with UI installation on Ubuntu 14.04

Kubernetes with UI over Docker 1. Install prerequisite software packages on both $apt-get update $apt-get install ssh curl vim 2.  Docker installation sudo apt-get update sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D touch /etc/apt/sources.list.d/docker.list echo deb https://apt.dockerproject.org/repo ubuntu-trusty main > /etc/apt/sources.list.d/docker.list sudo apt-get update sudo apt-get purge lxc-docker sudo apt-cache policy docker-engine sudo apt-get install docker-engine -y 3.ssh-keygen -t rsa 4.Copy the ssh id_rsa key locally ///  optional for passwordless auth $ ssh-copy-id -i /root/.ssh/id_rsa.pub 127.0.0.1 5. In case this command fails please use this alternative solution in order to add the key //optional $ cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys 6.Validate the password-less ssh-login // optional passwordless auth test $
Read more