Latest

Sunday, 9 September 2018

How to Configure Chroot SFTP Server on RHEL/CentOS 7

Configure Chroot SFTP on CentOS 7

When multiple users work on a common project, they often requires a common place to share there work with each other. This common place is called a Collaborative Directory. Usually, a collaborative directory is created with no authentication that raises conflicts between users. However, a properly configured collaborative directory can control the authentication/authorization of the legitmate users.

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. it runs over the SSH protocol and supports the full security and authentication functionality of SSH. SFTP has pretty much replace legacy FTP protocol and much more reliable and secure then FTP.

Chroot is an operation that changes the apparent root directory for the current running process and its child processes. The environment is called chroot jail. Users in a chroot jail can not access the files outside the designated directory.

In this article, we will configure a collaborative directory for our users to securely upload/download files to/from the file server via SFTP protocol, and limit the user access to the collaborative directory by using chroot jail environment. Also we will restrict the Shell access using the same credentials that users have for SFTP.

Note: All demonstrations in this article are CLI based, therefore, it is recommended that you should have The Linux Command Line: A Complete Introduction for quick reference.

Configure Chroot SFTP on CentOS 7

System Specification:

We have configured a CentOS 7 machine with following specification:

  • Hostname - fileserver-01.example.com
  • IP Address - 192.168.116.42/24
  • Operating System - RHEL 7.5

Read Also: Chroot Jail the Apache Web Server in RHEL/CentOS 7

 

Configure Chroot SFTP Server on RHEL / CentOS 7:

Connect with to the CentOS 7 server using ssh as root user.

sftp is the part of openssh-clients package, which is already installed in almost all linux distros. Therefore, we don’t have to explicitly install it on our machine, instead we will only configure it according to our requirements.

Create a group for collaborative users.

# groupadd -g 1501 dev

Create 3 collaborative users with supplementary group of dev and login shell as /sbin/nologin to restrict shell access by the user.

# useradd -u 1001 -G dev –s /sbin/nologin ahmer

# useradd -u 1002 -G dev –s /sbin/nologin mansoor

# useradd -u 1003 -G dev –s /sbin/nologin danish

Set the home directories of these users as /common.

# usermod -d /common ahmer

# usermod -d /common mansoor

# usermod -d /common danish

Set passwords for the users.

# echo 123 | passwd ahmer --stdin
Changing password for user ahmer.
passwd: all authentication tokens updated successfully.

# echo 123 | passwd mansoor --stdin
Changing password for user mansoor.
passwd: all authentication tokens updated successfully.

# echo 123 | passwd danish --stdin
Changing password for user danish.
passwd: all authentication tokens updated successfully.

Create a directory for collaboration and adjust permissions on it according to the requirement.

# mkdir -p /chroot/sftp
# chmod 555 /chroot/sftp
# mkdir /chroot/sftp/common/
# chgrp dev /chroot/sftp/common/
# chmod 2775 /chroot/sftp/common/

Configure sshd service to handle the collaborative users.

# vi /etc/ssh/sshd_config

Search and Comment the following line.

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Add following lines at the end of the /etc/ssh/sshd_config.

Subsystem       sftp    internal-sftp

Match Group dev
 X11Forwarding no
 AllowTCPForwarding no
 ChrootDirectory /chroot/sftp/
 ForceCommand internal-sftp –u 007

We have set the user mask as 007 to restrict the other users from accessing our files. However, you can adjust the umask according to your requirements.(e.g. if you required that the group members can not change each other files, then you can set the umask as 027).

Save and exit vi editor.

Restart sshd service to apply changes.

# systemctl restart sshd

 

Test Chrooted SFTP:

Connect to the fileserver-01.example.com using sftp command.

# sftp ahmer@localhost
ahmer@localhost's password:
Connected to localhost.
sftp>

We have successfully connected to our server using SFTP protocol.

Check working and root directories.

sftp> pwd
Remote working directory: /common
sftp> ls -al /
dr-xr-xr-x    3 0        0              20 Sep  9 07:13 .
dr-xr-xr-x    3 0        0              20 Sep  9 07:13 ..
drwxrwsr-x    2 0        1501          163 Sep  9 07:56 common
sftp>

You can see that the user session is now in a chroot jail environment, and user can not access the actual filesystem from here.

let’s upload a file to the server.

sftp> put hosts
Uploading hosts to /common/hosts
hosts                                         100%  158   244.7KB/s   00:00
sftp> ls -al
drwxrwsr-x    2 0        1501          176 Sep  9 08:10 .
dr-xr-xr-x    3 0        0              20 Sep  9 07:13 ..
-rw-rw----    1 1001     1501          158 Sep  9 08:10 hosts
sftp>

After uploading various files from different users, the status of the directory will be:

# ls -al /chroot/sftp/common/
total 32
drwxrwsr-x. 2 root    dev   176 Sep  9 13:10 .
dr-xr-xr-x. 3 root    root   20 Sep  9 12:13 ..
-rw-rw----. 1 mansoor dev  1409 Sep  9 12:50 anaconda-ks1.cfg
-rw-rw----. 1 ahmer   dev  1409 Sep  9 12:48 anaconda-ks.cfg
-rw-rw----. 1 mansoor dev     0 Sep  9 12:10 exports
-rw-rw----. 1 ahmer   dev   506 Sep  9 12:16 fstab
-rw-rw----. 1 ahmer   dev   158 Sep  9 13:10 hosts
-rw-rw----. 1 ahmer   dev  1452 Jun  2 14:56 ldapserver.pem
-rw-rw----. 1 ahmer   dev   925 Sep  9 12:09 passwd
-rw-rw----. 1 danish  dev  2885 Sep  9 12:54 vmware-vgauthsvc.log.0
-rw-rw----. 1 ahmer   dev   813 Sep  9 12:53 yum.conf

Also check that our users can connect using ssh or not.

# ssh mansoor@localhost
mansoor@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.

We have successfully configured a chrooted collaborative directory for SFTP users in CentOS 7 with chroot jail and restricted Shell Access.

If you find this article useful? Don't you mind support us by Buy Me A Coffee


1 comment:

© 2022 CentLinux. All Rights Reserved.