How to Configure Chroot SFTP Server in Linux
There are some scenario where system admin wants only few users should be allowed to transfer files to Linux boxes but no ssh. We can achieve this by setting up SFTP in chroot environment.
Background of SFTP & chroot :
SFTP stands for SSH File Transfer protocol or Secure File Transfer Protocol. SFTP provides file access, file transfer, and file management functionalities over any reliable data stream. When we configure SFTP in chroot environment , then only allowed users will be limited to their home directory , or we can say allowed users will be in jail like environment where they can’t even change their directory.
In article we will configure Chroot SFTP server on RHEL & CentOS system . We have one user ‘Jack’ , this user will be allowed to transfer files on Linux box but no ssh access.
Step :1) Create a group
Create sftp_users group using groupadd command,
[[email protected] ~]# groupadd sftp_users
Step: 2) Assign the secondary group(sftp_users) to the user
If the users doesn’t exist on system , use below command command to create it,
[[email protected] ~]# useradd -G sftp_users -s /sbin/nologin jack [[email protected] ~]# passwd jack
For already existing users , use below usermod command :
[[email protected] ~]# usermod –G sftp_users -s /sbin/nologin jack
Note : If you want to change the default home directory of users , then use ‘-d’ option in useradd and usermod command and set the correct permissions.
Step :3) Now edit the config file “/etc/ssh/sshd_config”
Edit the sshd_config using your favorite editor,
# vi /etc/ssh/sshd_config #comment out the below line and add a line like below #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp # add Below lines at the end of file Match Group sftp_users X11Forwarding no AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp
Match Group sftp_users – This indicates that the following lines will be matched only for users who belong to group sftp_users
ChrootDirectory %h – This is the path(default user’s home directory) that will be used for chroot after the user is authenticated. So, for Jack, this will be /home/jack.
ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
After making the above changes, restart the ssh service using following command,
[[email protected] ~] # systemctl restart sshd
Step :4) Set the required permissions on user’s home directory
As in our demonstration we are using jack user as sftp user, so run the following commands to set the required permissions on his home directory,
[[email protected] ~]# chmod 755 /home/jack [[email protected] ~]# chown root /home/jack [[email protected] ~]# chgrp -R sftp_users /home/jack
In case you want that jack user should be allowed to upload files, then create a upload folder with the below permissions ,
[[email protected] jack]# mkdir /home/jack/upload [[email protected] jack]# chown jack. /home/jack upload/
In case selinux is enabled on your system then execute the following command to set selinux rules,
[[email protected] ~] setsebool -P ssh_chroot_full_access on
Step :5) Test Sftp server
First try to access the system using ssh via jack user,
As we can see in output above user jack is allowed to ssh.
Now let’s try to login using sftp,
As you can see above, jack user is logged in via SFTP and but can’t change the directory because of chroot environment.
Now do the uploading and downloading testing as shown below:
As we can see above , both uploading & downloading working fine for jack user. That’s conclude the article, you are most welcome to share your feedback and comments in the comments sections below.