Friday 5 August 2016

Creating a chrooted sftp account

SFTP is a utility similar to scp as it is used to download & upload files but sftp offers a lot of inbuilt commands & additional customization.

In this example, I'm going to create a chrooted sftp account. So the user will have sftp access only i.e no login shell & will be restricted to its home directory.

First we create the user & set it's shell to /sbin/nolign & change ownership of its home directory. Then we create a directory under the user's home directory for uploading/downloading of files.

[root@cfeclient ~]# groupadd sftpusers
[root@cfeclient ~]# useradd -g sftpusers sftptest -s /sbin/nologin
[root@cfeclient ~]# passwd sftptest
Changing password for user sftptest.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@cfeclient ~]#
[root@cfeclient ~]# ls -ld /home/sftptest/
drwx------. 2 sftptest sftpusers 59 Aug  5 10:04 /home/sftptest/
[root@cfeclient ~]# chown root:root /home/sftptest/
[root@cfeclient ~]# chmod 755 /home/sftptest/
[root@cfeclient ~]# grep sftptest /etc/passwd
sftptest:x:1004:1005::/home/sftptest:/sbin/nologin
[root@cfeclient ~]# mkdir /home/sftptest/folder
[root@cfeclient ~]# chown sftptest /home/sftptest/folder/
[root@cfeclient ~]# ls -ld /home/sftptest/folder/
drwxr-xr-x. 2 sftptest root 6 Aug  5 10:06 /home/sftptest/folder/
[root@cfeclient ~]#

That does it with the user setup. Now we need to edit our sshd_config file:

Change the subsystem directive from 
 
Subsystem      sftp    /usr/libexec/openssh/sftp-server

To 

Subsystem       sftp    internal-sftp

Add the following lines:

Match Group sftpusers
                ChrootDirectory %h
                ForceCommand internal-sftp


The name “internal-sftp” implements an in-process “sftp” server.  This may simplify configurations using ChrootDirectory to force a different filesystem root on clients. I'll demonstrate the practical working in a demo.

In the Match Group stanza we imply that for any member of the group sftpusers the chrootdirectory will be their home directory denoted by %h & will be able to run internal-sftp only.

So, here's the demo:-

Let's login as sftptest user.

[root@cent ~]# sftp sftptest@cfeclient
sftptest@cfeclient's password:
Connected to cfeclient.
sftp> pwd
Remote working directory: /

Notice when we ran pwd command it returned / as the output & not /home/sftptest/

If we run ls to check the contents

sftp> ls
folder
sftp> cd folder/
sftp> put file
Uploading file to /folder/file
file                                                                                                                                                        100%    0     0.0KB/s   00:00
sftp> ls
file
sftp>
sftp> ls -l
-rwxr-xr-x    1 1004     1005            0 Aug  5 14:50 file

So we are indeed in the /home/sftptest/ directory & we were able to upload a file to the folder directory.

If we check on the server as root user we'll find that the file is in /home/sftptest/folder 

[root@cfeclient folder]# pwd
/home/sftptest/folder
[root@cfeclient folder]# ll
total 0
-rwxr-xr-x. 1 sftptest sftpusers 0 Aug  5 10:50 file

If we try to change to any directory & go beyond the realm of our home directory the session won't allow it & we'll get the following error:

sftp> cd /etc
Couldn't canonicalise: No such file or directory
sftp> cd /var
Couldn't canonicalise: No such file or directory
sftp>

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Using capture groups in grep in Linux

Introduction Let me start by saying that this article isn't about capture groups in grep per se. What we are going to do here with gr...