SDB:SFTP server with Chroot

Jump to: navigation, search
With SFTP ChrootDirectory it's possible to easily restrict users to any directory including their home directory, if they should just be able to transfer files via sftp.


General

Since the 4.8p1 release of OpenSSH (and therefore available for all current openSUSE distributions), SSH configuration /etc/ssh/sshd_config has included the newly-introduced ChrootDirectory option. This way makes it easy to replace a basic FTP service with SFTP without the hassle of configuring encryption or bothering with FTP passive and active modes when operating through a NAT router. This is also simpler than using packages such as rsh, scp only or other patches because it does not require setting up and maintaining (i.e. security updates) a chroot environment.

Assumptions

  • You understand the basics of openSSH
  • You must have an up-and-running SSHD (the SSH daemon service). If not yet, please refer to Configure openSSH

And you must be familiar with the following basics:

  • Working from the command line
  • Editing text files
  • Gaining root privileges (using su, sudo or login as root)
  • Be familiar with Yast2 module: “Users and Groups”

Configure SSHD

Edit /etc/ssh/sshd_config with your favourite editor as root.

SFTP subsystem

In order to let the ChrootDirectory work, you must use the SSHD internal SFTP server. Locate the following line, comment it out and add the new option:

# override default of no subsystems
#Subsystem  sftp    /usr/lib64/ssh/sftp-server
Subsystem   sftp    internal-sftp

Match rule block

A "Match rule block" can be used to set specific options for certain users or groups. A "Match rule block" always has to be at the bottom of the configuration file. All options set under this line will apply for this block, until a next "Match rule block" is specified. In this example a "Match rule block" is set up for the group "sftponly".

If you are using an AllowUsers or AllowGroup policy, you will also have to add the "sftponly" group, or it's users, behind one of this options
Match group sftponly
   ForceCommand internal-sftp
   ChrootDirectory /home/%u 
   X11Forwarding no
   AllowTcpForwarding no
  • The ForceCommand option makes sure that the restricted users can only use the SSHD for SFTP, so they don't have the possibility of opening a regular SSH session. The ForceCommand option must always be the first one! Don't let other examples on the internet misguide you. If the "internal-sftp" is not running before the call to chroot() then the chroot() will fail, since the "internal-sftp" is doing all the dirty jobs to make this possible. If the chroot() fails, the user will be kicked off.
  • The ChrootDirectory option sets the new root directory for this user. %u can be used as username replacement and %h can be used for path to home directory. The use of %u is stonger recommended, especially if you are going to create separate users only for SFTP, without local login.
  • X11Forwarding and AllowTcpForwarding are both set to no, to prevent the user from forwarding ports or starting remote X applications.

So now the configuration is set so that the restricted user can only login through SFTP, can only access the set directory and cannot use the established connection for anything else. Save the file and exit your editor. Don't forget to reload your SSHD configuration with:

$rcsshd reload

Preparing directories

If permissions are not set correctly on the Chroot directory, the operation will fail. This is a safety precaution of the ChrootDirectory command. The directory you Chroot to must be owned by root. The group must be set to your "sftponly" group. Permissions must be set to 750. Meaning:

  • Root can read and write
  • Members of the sftponly group can only read
  • World can not read nor write
  • (some guides on the internet say all parents of the chroot up to / also need those permissions. this is not true for us)

A new directory for the Chroot will be created and permissions will be set as above in the following example. As root do:

$mkdir /sftp
$mkdir /sftp/chroot
$chown root:sftponly /sftp/chroot
$chmod 750 /sftp/chroot
$ls -l /sftp
drwxr-x--- 2 root sftponly 4096 2010-07-03 22:09 chroot

If the output of ls -l is similar as above, it means your permissions are OK.

Prepare the users

Now you can simply add the users you want to restrict to the group "sftponly" using Yast2 > Security and Users > User and Group management. If you are creating separate users for the use of your SFTP server, it is also advisable to change there shell to /bin/false. Preventing them from ever logging in to your system. When the call to Chroot has been made and executed correctly, the SSHD will try to change the user's directory to /home/user, relative the Chroot directory. If this folder is not present, the user will remain in the root. If you would like to change this behaviour, you must change the user's home directory to "/". The downside of this is, that public key authentication can not be used any more in the default ways.

You should now be able to login to your computer with a sftponly user and not be able to view your actual computer's root. (Try ls /, this should give you only the contents of your Chroot directory.)

When using pam_google_authenticator.so you can exclude your group in /etc/pam.d/sshd like

auth [success=1 default=ignore] pam_succeed_if.so user ingroup sftponly

befor the google auth pam line


See also


External links