This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website. For example: sftpluke needs to upload files to /var/www/vhost/lukeslinuxlessons/. You can chroot sftpluke to /home/chroot/sftpluke/ and then mount /var/www/vhost/lukeslinuxlessons/ to their home directory. This means they can upload to the correct website directory without needing access to it.
Quick Links
sFTP Group
Creating a chroot directory
Creating a chroot user
Configuring sshd_config
Permissions for chroot directory
Mounting
Testing Chroot sFTP
sFTP Only Group
groupadd sftponly
Creating a chroot Directory
Now we need to create a home directory which we will be chrooting our sFTP user to. In this directory you are able to have more directories, each one relating to a different website etc. You should create the directory with the command.
mkdir -p /home/chroot/lukes-jail/
If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g
mkdir -p /home/chroot/sams-jail/
Adding a chroot user
We can now add a user with a specific home directory and NO shell login. This means they will NOT be able to SSH into the server, only sFTP. We will also add the user to the sftponly group.
useradd -d /home/chroot/lukesjail/ -s /sbin/nologin -G sftponly lukeisjailed
Now change the password with
Configuring sshd_config file
We need to make a few changes to /etc/ssh/sshd_config file.
You will need to locate and comment-out the following line:
Subsystem sftp /usr/libexec/openssh/sftp-server
Once you have done this you will need to add the following lines to the bottom of the file:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
Now you need to restart sshd. You can either run sshd -t first (which should return NO message) or you can be brave and just perform service sshd restart
Permissions
Now we need to make sure that the home directory for the lukeisjailed user has the correct permissions.
You should perform the following:
chmod 711 /home/chroot/
chmod 755/home/chroot/lukesjail/
chown root:root /home/chroot/lukes-jail/
You will then need to set the permissions of the mount directory (e.g /home/chroot/lukes-jail/website1/) to user:group with
chown lukeisjailed:sftponly /home/chroot/lukes-jail/website1/
Mounting
We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab:
/var/www/vhost/lukeslinuxlessons/ /home/chroot/lukes-jail/website1/ none bind 0 0
Now we can mount a specific directory to the users chrooted home directory.
mount /home/chroot/lukes-jail/website1/
This command mounts the directory stated in /etc/fstab to the directory we have just specified (/home/chroot/lukes-jail/website1/)
Testing sFTP chroot
You can test the chroot a couple of ways.
Try logging in with the user via ssh, this should fail as we have disabled ssh login.
Now we can test sftp via command line with
sftp [email protected]
This should prompt you for a password and then successfully log in. You should see:
sftp>
Now you can test to see if it has been configured correctly by typing the following:
sftp> pwd Remote working directory: / sftp> ls website1 sftp> cd website1 sftp> ls file1 file2 file3
Troubleshooting
This section will be updated regularly with issues and fixes.
sftp [email protected] -v
The command above should tell you if the issue is a password for the user is correct or not