zoukankan      html  css  js  c++  java
  • How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)

    1. Create a New Group

    Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

    # groupadd sftpusers

    2. Create Users (or Modify Existing User)

    Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

    The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).

    # useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
    # passwd guestuser

    Verify that the user got created properly.

    # grep guestuser /etc/passwd
    guestuser:x:500:500::/incoming:/sbin/nologin

    If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:

    # usermod -g sftpusers -d /incoming -s /sbin/nologin john

    On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.

    3. Setup sftp-server Subsystem in sshd_config

    You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).

    Modify the the /etc/ssh/sshd_config file and comment out the following line:

    #Subsystem       sftp    /usr/libexec/openssh/sftp-server

    Next, add the following line to the /etc/ssh/sshd_config file

    Subsystem       sftp    internal-sftp
    # grep sftp /etc/ssh/sshd_config
    #Subsystem      sftp    /usr/libexec/openssh/sftp-server
    Subsystem       sftp    internal-sftp

    4. Specify Chroot Directory for a Group

    You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

    # tail /etc/ssh/sshd_config
    Match Group sftpusers
            ChrootDirectory /sftp/%u
            ForceCommand internal-sftp

    In the above:

    • Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
    • ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
    • ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

    5. Create sftp Home Directory

    Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).

    # mkdir /sftp

    Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.

    # mkdir /sftp/guestuser

    So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.

    So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.

    # mkdir /sftp/guestuser/incoming

    6. Setup Appropriate Permission

    For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

    Set the owenership to the user, and group to the sftpusers group as shown below.

    # chown guestuser:sftpusers /sftp/guestuser/incoming

    The permission will look like the following for the incoming directory.

    # ls -ld /sftp/guestuser/incoming
    drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming

    The permission will look like the following for the /sftp/guestuser directory

    # ls -ld /sftp/guestuser
    drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser
    
    # ls -ld /sftp
    drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp

    7. Restart sshd and Test Chroot SFTP

    Restart sshd:

    # service sshd restart

    Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.

    # sftp guestuser@thegeekstuff.com
    guestuser@thegeekstuff's password:
    
    sftp> pwd
    Remote working directory: /incoming
    
    sftp> cd /
    sftp> ls
    incoming

    When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.

    Note: If you have encountered below error:
    Write failed: Broken pipe
    Couldn't read packet: Connection reset by peer

    Make sure the chroot directory (/sftp/guestuser) has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

    Use the following command:

    chown root:root /sftp/guestuser

    Implement Logging

    1. Make syslog available in the chroot

    Create a dev directory in each user’s chrooted directory:

    # mkdir /sftp/guestuser/dev

    The folder permission should be rwxr-xr-x.

    2. Configure rsyslog to probe the new logging source

    Put the following contents in /etc/rsyslog.conf :

    # Create an additional socket for the sshd chrooted users.

    $AddUnixListenSocket /sftp/guestuser/dev/log

    3. Configure OpenSSH for logging

    Modify the following contents in /etc/ssh/sshd_config:

    Match Group sftpusers

    ChrootDirectory /sftp/%u

    X11Forwarding no

    AllowTcpForwarding no

    ForceCommand internal-sftp -f LOCAL7 -l INFO

    4. Restart sshd and rsyslog Service

    # service sshd restart

    # service rsyslog restart

    5. Verify file log

    Log in to the SFTP server using comfort account

    Verify log in /var/log/secure

  • 相关阅读:
    公司-科技-电商:京东
    公司-科技-协调:泛微
    公司-科技-财务:新中大
    公司-科技-财务:金蝶
    公司-科技-财务:用友
    公司-科技:SAMSUNG
    杂项-公司:华为
    “莆田系”到底是个什么玩意儿?
    Java 虚拟机是如何判定两个 Java 类是相同的?
    java类加载器是什么?
  • 原文地址:https://www.cnblogs.com/zhaobin/p/3470657.html
Copyright © 2011-2022 走看看