Configure Chroot SFTP Server on RHEL / CentOS 7 - CentLinux - Installation Guides & HowTos


Sunday, 9 September 2018

Configure Chroot SFTP Server on RHEL / CentOS 7

Configure Chroot SFTP on CentOS 7

When multiple users work on a common project, they often requires a common place to share there work with each other. This common place is called a Collaborative Directory. Usually, a collaborative directory is created with no authentication that raises conflicts between users. However, a properly configured collaborative directory can control the authentication/authorization of the legitmate users.

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. it runs over the SSH protocol and supports the full security and authentication functionality of SSH. SFTP has pretty much replace legacy FTP protocol and much more reliable and secure then FTP.

Chroot is an operation that changes the apparent root directory for the current running process and its child processes. The environment is called chroot jail. Users in a chroot jail can not access the files outside the designated directory.

In this article, we will configure a collaborative directory for our users to securely upload/download files to/from the file server via SFTP protocol, and limit the user access to the collaborative directory by using chroot jail environment. Also we will restrict the Shell access using the same credentials that users have for SFTP.

Note: All demonstrations in this article are CLI based, therefore, it is recommended that you should have The Linux Command Line: A Complete Introduction for quick reference.


System Specification:

We have configured a CentOS 7 machine with following specification:

  • Hostname -
  • IP Address -
  • Operating System - RHEL 7.5

Read Also: Chroot Jail the Apache Web Server in RHEL/CentOS 7


Configure Chroot SFTP Server on RHEL / CentOS 7:

Connect with to the CentOS 7 server using ssh as root user.

sftp is the part of openssh-clients package, which is already installed in almost all linux distros. Therefore, we don’t have to explicitly install it on our machine, instead we will only configure it according to our requirements.

Create a group for collaborative users.

[root@fileserver-01 ~]# groupadd -g 1501 dev

Create 3 collaborative users with supplementary group of dev and login shell as /sbin/nologin to restrict shell access by the user.

[root@fileserver-01 ~]# useradd -u 1001 -G dev –s /sbin/nologin ahmer [root@fileserver-01 ~]# useradd -u 1002 -G dev –s /sbin/nologin mansoor [root@fileserver-01 ~]# useradd -u 1003 -G dev –s /sbin/nologin danish

Set the home directories of these users as /common.

[root@fileserver-01 ~]# usermod -d /common ahmer [root@fileserver-01 ~]# usermod -d /common mansoor [root@fileserver-01 ~]# usermod -d /common danish

Set passwords for the users.

[root@fileserver-01 ~]# echo 123 | passwd ahmer --stdin Changing password for user ahmer. passwd: all authentication tokens updated successfully. [root@fileserver-01 ~]# echo 123 | passwd mansoor --stdin Changing password for user mansoor. passwd: all authentication tokens updated successfully. [root@fileserver-01 ~]# echo 123 | passwd danish --stdin Changing password for user danish. passwd: all authentication tokens updated successfully. [root@fileserver-01 ~]#

Create a directory for collaboration and adjust permissions on it according to the requirement.

[root@fileserver-01 ~]# mkdir -p /chroot/sftp [root@fileserver-01 ~]# chmod 555 /chroot/sftp [root@fileserver-01 ~]# mkdir /chroot/sftp/common/ [root@fileserver-01 ~]# chgrp dev /chroot/sftp/common/ [root@fileserver-01 ~]# chmod 2775 /chroot/sftp/common/

Configure sshd service to handle the collaborative users.

[root@fileserver-01 ~]# vi /etc/ssh/sshd_config

Search and Comment the following line.

#Subsystem sftp /usr/libexec/openssh/sftp-server

Add following lines at the end of the /etc/ssh/sshd_config.

Subsystem sftp internal-sftp Match Group dev X11Forwarding no AllowTCPForwarding no ChrootDirectory /chroot/sftp/ ForceCommand internal-sftp –u 007

We have set the user mask as 007 to restrict the other users from accessing our files. However, you can adjust the umask according to your requirements.(e.g. if you required that the group members can not change each other files, then you can set the umask as 027).

Save and exit vi editor.

Restart sshd service to apply changes.

[root@fileserver-01 ~]# systemctl restart sshd


Test Chrooted SFTP:

Connect to the using sftp command.

[root@fileserver-01 etc]# sftp ahmer@localhost ahmer@localhost's password: Connected to localhost. sftp>

We have successfully connected to our server using SFTP protocol.

Check working and root directories.

sftp> pwd Remote working directory: /common sftp> ls -al / dr-xr-xr-x 3 0 0 20 Sep 9 07:13 . dr-xr-xr-x 3 0 0 20 Sep 9 07:13 .. drwxrwsr-x 2 0 1501 163 Sep 9 07:56 common sftp>

You can see that the user session is now in a chroot jail environment, and user can not access the actual filesystem from here.

let’s upload a file to the server.

sftp> put hosts Uploading hosts to /common/hosts hosts 100% 158 244.7KB/s 00:00 sftp> ls -al drwxrwsr-x 2 0 1501 176 Sep 9 08:10 . dr-xr-xr-x 3 0 0 20 Sep 9 07:13 .. -rw-rw---- 1 1001 1501 158 Sep 9 08:10 hosts sftp>

After uploading various files from different users, the status of the directory will be:

[root@fileserver-01 etc]# ls -al /chroot/sftp/common/ total 32 drwxrwsr-x. 2 root dev 176 Sep 9 13:10 . dr-xr-xr-x. 3 root root 20 Sep 9 12:13 .. -rw-rw----. 1 mansoor dev 1409 Sep 9 12:50 anaconda-ks1.cfg -rw-rw----. 1 ahmer dev 1409 Sep 9 12:48 anaconda-ks.cfg -rw-rw----. 1 mansoor dev 0 Sep 9 12:10 exports -rw-rw----. 1 ahmer dev 506 Sep 9 12:16 fstab -rw-rw----. 1 ahmer dev 158 Sep 9 13:10 hosts -rw-rw----. 1 ahmer dev 1452 Jun 2 14:56 ldapserver.pem -rw-rw----. 1 ahmer dev 925 Sep 9 12:09 passwd -rw-rw----. 1 danish dev 2885 Sep 9 12:54 vmware-vgauthsvc.log.0 -rw-rw----. 1 ahmer dev 813 Sep 9 12:53 yum.conf

Also check that our users can connect using ssh or not.

[root@fileserver-01 etc]# ssh mansoor@localhost mansoor@localhost's password: This service allows sftp connections only. Connection to localhost closed. [root@fileserver-01 etc]#

We have successfully configured a chrooted collaborative directory for SFTP users in CentOS 7 with chroot jail and restricted Shell Access.

1 comment: