How to Setup Chroot SFTP in Linux

In my previous article I show you that how to setup FTP in linux machine in this article I’ll show you that how to setup chroot SFTP in linux machine.

sftp.pngSFTP is a secure form of file transfer protocol (FTP). FTP transfer the entire transmission in plain text which is against security policies and makes it vulnerable. SFTP makes entire transmission encrypted including authentication information.
SFTP uses SSH to provide secure file transfer protocole. Compare to SCP it allows wide range of operations on remote files like changing permissions, ownership, removing files and resuming downloads etc.
Recommended when you don’t want to give users the access of SHELL but still wants the security of SSH for file transfer. If you dont’t like CLI there are many GUI tools to use SFTP like Filezilla, JFTP, PUTTY etc.
Now lets start SFTP server chroot configuration. First step to add new group using following command:

 $ sudo groupadd groupName

Create a user which is intended to use SFTP in jail environment.

 $ sudo useradd userName

Set the the password for user create earlier this.

$ sudo passwd userName

After this enter your password and confirm this.

Next step to make this user a member of group that we created before.

$ sudo usermod -G groupName userName

Now when you see your /etc/group file using command:

$ cat /etc/group

At the end of this file you will see that the user will be under group like:

sftponly:x:1003:SFTP
SFTP:x:1004:

In this case my group name is “sftponly” and my usename is “SFTP”.
Now create a directory using following command:

 $ sudo mkdir -p /var/www/virtual-users/SFTP

In this case SFTP is username of my user. We create this directory because this directory is intended to be the home directory of our new user. Go to this directory:

 $ cd /var/www/virtual-users/SFTP

Make sure the SFTP should be owned by root. Now create another folder in SFTP directory:

 $ sudo mkdir incomming

You need to make sure that the owner of “incomming” directory is SFTP. For this purpose use follwing command:

 $ sudo chown SFTP  incomming/

To check the ownership type following command:

$ ls -l

Following will be the output:

total 4
drwxr-xr-x 2 SFTP root 4096 Jul 19 18:25 incomming

Now change the home directory of new user using following command:

$ sudo usermod -d /var/www/virtual-users/SFTP/ SFTP

To check the home directory of new user, type following command:

$ cat /etc/passwd

You will see that the home directory is now changed like:

SFTP:x:1003:1003::/var/www/vusers/SFTP/:/bin/false

Now we want to not give the shell access to user for that purpose use following command:

$ sudo usermod -s /bin/false userName

Now open your sshd_config file and make some changes.

$ sudo vi /etc/ssh/shhd_config

Search the following line:

# override default of no subsystems
Sybsystem    sftp   /user/libexec/openssh/sftp-server

Replace above line with following line:

Subsystem sftp internal-sftp

After this put the following lines at the end of the file:

# for chroot sftp 
Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no

Now save and quit the file.
Restart the sshd service using following command:

$ sudo service sshd restart

If everything is fine go to your another (client) machine and connect it like this:

sftp.png

SFTP is my username and “192.168.12.109” is my server’s IP where I setup sftp environment. It will ask you the password of your user, enter your user’s password and if everything is fine it will connect to sftp server and the courser will blink like “sftp>”.
If you try to access the root directories you will never be allowed to access root directories.

making.png
You can Upload and download file using “put” and “get” commands.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s