Chrooted SFTP
\In this post we will create a chrooted SFTP login for guest accounts on our Linux distribution.
-
Locate your sftp-server binary:
# locate sftp-server
/usr/libexec/openssh/sftp-server
/usr/share/man/man8/sftp-server.8.gz -
Use the result of the above to add this line to your /etc/ssh/sshd_config file (Check if this line does not exist already). Note, internal-sftp will point to the above sftp-server on login:
Subsystem sftp internal-sftp
-
Add the following line to the end of the file. First one is for group users and second is for the sftpuser. For this exercise you can choose one or the other:
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/libexec/openssh/sftp-serverMatch User sftpuser
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/libexec/openssh/sftp-server -
Ensure the sftpuser .ssh folder exists ( Or you will not be able to login since file /home/sftpuser/.ssh/authorized_keys will not be writable )
-
Add the sftpuser and associate them with users group:
# useradd sftpuser
# usermod -G users sftpuser
# id sftpuser
uid=508(sftpuser) gid=508(sftpuser) groups=508(sftpuser),100(users)
# - Ensure the chrooted folder is owned by root.root ( chown root.root /home/sftpuser for example. )
-
Issue /etc/init.d/sshd restart of service sshd restart.
-
Test the configuration:
Problems encountered:
# ssh sftpuser@192.168.0.36
FIPS integrity verification test failed.
sftpuser@192.168.0.36's password:
Write failed: Broken pipe
the chrooted folder is not owned by root. In case there are problems, also try to run sshd in debug mode to see about the causes: /sbin/sshd -p 2222 -D -ddd -e then use sftp -oPort=2222 sftpuser@192.168.0.36 to test connect there .
An example of a typical issue you can see is:
debug1: Could not open authorized keys '/home/sftpuser/.ssh/authorized_keys': Permission denied
debug1:
Simply create the folder above to allow for population of the authorized_keys file. Another error that can be seen is:
debug1: subsystem: cannot stat /usr/lib/openssh/sftp-server: Permission denied
Try to use one of the following (first one worked fine) instead:
Subsystem sftp internal-sftp
# Subsystem sftp sftp-server
# Subsystem sftp /usr/libexec/openssh/sftp-server
# Subsystem sftp /usr/libexec/openssh/internal-sftp
Have Fun!
Cheers,
TK