In my previous article I show you that how to setup FTP in linux machine in this article I’ll show you that how to setup chroot SFTP in linux machine.
SFTP is a secure form of file transfer protocol (FTP). FTP transfer the entire transmission in plain text which is against security policies and makes it vulnerable. SFTP makes entire transmission encrypted including authentication information.
SFTP uses SSH to provide secure file transfer protocole. Compare to SCP it allows wide range of operations on remote files like changing permissions, ownership, removing files and resuming downloads etc.
Recommended when you don’t want to give users the access of SHELL but still wants the security of SSH for file transfer. If you dont’t like CLI there are many GUI tools to use SFTP like Filezilla, JFTP, PUTTY etc.
Now lets start SFTP server chroot configuration. First step to add new group using following command:
$ sudo groupadd groupName
Create a user which is intended to use SFTP in jail environment.
$ sudo useradd userName
Set the the password for user create earlier this.
$ sudo passwd userName
After this enter your password and confirm this.
Next step to make this user a member of group that we created before.
$ sudo usermod -G groupName userName
Now when you see your /etc/group file using command:
$ cat /etc/group
At the end of this file you will see that the user will be under group like:
In this case my group name is “sftponly” and my usename is “SFTP”.
Now create a directory using following command:
$ sudo mkdir -p /var/www/virtual-users/SFTP
In this case SFTP is username of my user. We create this directory because this directory is intended to be the home directory of our new user. Go to this directory:
$ cd /var/www/virtual-users/SFTP
Make sure the SFTP should be owned by root. Now create another folder in SFTP directory:
$ sudo mkdir incomming
You need to make sure that the owner of “incomming” directory is SFTP. For this purpose use follwing command:
$ sudo chown SFTP incomming/
To check the ownership type following command:
$ ls -l
Following will be the output:
total 4 drwxr-xr-x 2 SFTP root 4096 Jul 19 18:25 incomming
Now change the home directory of new user using following command:
$ sudo usermod -d /var/www/virtual-users/SFTP/ SFTP
To check the home directory of new user, type following command:
$ cat /etc/passwd
You will see that the home directory is now changed like:
Now we want to not give the shell access to user for that purpose use following command:
$ sudo usermod -s /bin/false userName
Now open your sshd_config file and make some changes.
$ sudo vi /etc/ssh/shhd_config
Search the following line:
# override default of no subsystems Sybsystem sftp /user/libexec/openssh/sftp-server
Replace above line with following line:
Subsystem sftp internal-sftp
After this put the following lines at the end of the file:
# for chroot sftp Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp X11Forwarding no
Now save and quit the file.
Restart the sshd service using following command:
$ sudo service sshd restart
If everything is fine go to your another (client) machine and connect it like this:
SFTP is my username and “192.168.12.109” is my server’s IP where I setup sftp environment. It will ask you the password of your user, enter your user’s password and if everything is fine it will connect to sftp server and the courser will blink like “sftp>”.
If you try to access the root directories you will never be allowed to access root directories.
You can Upload and download file using “put” and “get” commands.