1. Create a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

2. Create Users (or Modify Existing User)

Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).

# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
# passwd guestuser

Verify that the user got created properly.

# grep guestuser /etc/passwd
guestuser:x:500:500::/incoming:/sbin/nologin

If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:

# usermod -g sftpusers -d /incoming -s /sbin/nologin john

On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.

3. Setup sftp-server Subsystem in sshd_config

You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).

Modify the the /etc/ssh/sshd_config file and comment out the following line:

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file

Subsystem       sftp    internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

4. Specify Chroot Directory for a Group

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

# tail /etc/ssh/sshd_config
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp

In the above:

  • Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
  • ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
  • ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

5. Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).

# mkdir /sftp

Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.

# mkdir /sftp/guestuser

So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.

So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.

# mkdir /sftp/guestuser/incoming

6. Setup Appropriate Permission

For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

Set the owenership to the user, and group to the sftpusers group as shown below.

# chown guestuser:sftpusers /sftp/guestuser/incoming

The permission will look like the following for the incoming directory.

# ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming

The permission will look like the following for the /sftp/guestuser directory

# ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser # ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp

7. Restart sshd and Test Chroot SFTP

Restart sshd:

# service sshd restart

Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.

# sftp guestuser@thegeekstuff.com
guestuser@thegeekstuff's password: sftp> pwd
Remote working directory: /incoming sftp> cd /
sftp> ls
incoming

When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.

Note: If you have encountered below error: 
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

Make sure the chroot directory (/sftp/guestuser) has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

Use the following command:

chown root:root /sftp/guestuser

Implement Logging

1. Make syslog available in the chroot

Create a dev directory in each user’s chrooted directory:

# mkdir /sftp/guestuser/dev

The folder permission should be rwxr-xr-x.

2. Configure rsyslog to probe the new logging source

Put the following contents in /etc/rsyslog.conf :

# Create an additional socket for the sshd chrooted users.

$AddUnixListenSocket /sftp/guestuser/dev/log

3. Configure OpenSSH for logging

Modify the following contents in /etc/ssh/sshd_config:

Match Group sftpusers

ChrootDirectory /sftp/%u

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp -f LOCAL7 -l INFO

4. Restart sshd and rsyslog Service

# service sshd restart

# service rsyslog restart

5. Verify file log

Log in to the SFTP server using comfort account

Verify log in /var/log/secure

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)的更多相关文章

  1. 如何在Linux中使用sFTP上传或下载文件与文件夹

    如何在Linux中使用sFTP上传或下载文件与文件夹 sFTP(安全文件传输程序)是一种安全的交互式文件传输程序,其工作方式与 FTP(文件传输协议)类似. 然而,sFTP 比 FTP 更安全;它通过 ...

  2. Linux命令之sftp - 安全文件传输命令行工具

    用途说明 sftp命令可以通过ssh来上传和下载文件,是常用的文件传输工具,它的使用方式与ftp类似,但它使用ssh作为底层传输协议,所以安全性比ftp要好得多. 常用方式 格式:sftp <h ...

  3. linux如何搭建sftp服务器

    工具/原料   centos7.2_x64 方法/步骤   创建sftp组 groupadd sftp 创建完成之后使用cat /etc/group命令组的信息   2 创建一个sftp用户mysft ...

  4. java通过sftp对linux服务器文件夹进行操作

    本文主要讲sftp对linux服务器的文件和文件夹进行操作,windows server 服务器不支持. package com.lx.ftp; import java.io.File; import ...

  5. Linux 下创建 sftp 用户并限定目录

    Linux 下创建 sftp 用户并限定目录 1.创建 sftpUser 用户组 [root@XXX ~]# groupadd sftpUser 2.创建 sftpUser 用户并指定目录 [root ...

  6. 我使用过的Linux命令之sftp - 安全文件传输命令行工具

    用途说明 sftp命令可以通过ssh来上传和下载文件,是常用的文件传输工具,它的使用方式与ftp类似,但它使用ssh作为底层传输协议,所以安全性比ftp要好得多. 常用方式 格式:sftp <h ...

  7. linux 上搭建sftp服务

    原文链接:https://www.cnblogs.com/yanduanduan/p/9046723.html sftp和ftp的区别 FTP是一种文件传输协议,一般是为了方便数据共享的.包括一个FT ...

  8. linux传输文件-sftp

    SFTP sftp登陆远程服务器 sftp username@ip 例如:sftp mqadmin@10.10.1.150 然后输入password即可   put:上传文件 例如:put iosta ...

  9. Windows和linux虚拟机之间联网实现SSH远程连接以及VMware的3种网络模式[NAT、桥接和Host-only]

    Windows和linux虚拟机之间联网实现SSH远程连接以及VMware的3种网络模式[NAT.桥接和Host-only] 作者:天齐 一.Windows和linux虚拟机之间联网实现SSH远程连接 ...

随机推荐

  1. JAVA的程序代码小细节,变量的使用,以及一些细节的面试题

    package cn.hncu; public class LableDemo { public static void main(String[] args) { //demo1(); demo2( ...

  2. Linux下搭建Oracle11g RAC(8)----创建ASM磁盘组

    以grid用户创建ASM磁盘组,创建的ASM磁盘组为下一步创建数据库提供存储. ① grid用户登录图形界面,执行asmca命令来创建磁盘组: ② 进入ASMCA配置界面后,单击Create,创建新的 ...

  3. Java基础知识强化之集合框架笔记56:Map集合之HashMap集合(HashMap<String,Student>)的案例

    1. HashMap集合(HashMap<String,Student>)的案例 HashMap是最常用的Map集合,它的键值对在存储时要根据键的哈希码来确定值放在哪里. HashMap的 ...

  4. asp gridview批量删除和全选

    本人新手刚学asp.net   全选和删除也是引用了他人的代码试了一试可以实现,感觉很好,就发了上来. 前台代码 <asp:GridView ID="GridView1" r ...

  5. css:nth-of-type()选择器用法

    今天做一个页面,无意中看到这个nth-of-type感觉挺方便的,之前单双行有的有横线,有的无横线一般在html中单独再写border-right:none等之类的.现在发现这个好东西赶紧记录下来. ...

  6. 【STL】string 常用函数

    string类的构造函数: string(const char *s); //用c字符串s初始化 string(int n,char c); //用n个字符c初始化 此外,string类还支持默认构造 ...

  7. 动态库DLL加载方式-静态加载和动态加载

    静态加载: 如果你有a.dll和a.lib,两个文件都有的话可以用静态加载的方式: message函数的声明你应该知道吧,把它的声明和下面的语句写到一个头文件中 #pragma comment(lib ...

  8. 使用DataList 分页方法

    什么是DataList我想应该不需要解释了,接下来分享本人在项目里使用到的通过DataList进行分页展示方法. 首先在ASPX页面添加一个DataList(后面都简称DL)控件,示例代码如下: &l ...

  9. spring配置文件中属性mappingLocations、mappingDirectoryLocations

    http://blog.csdn.net/vacblog/article/details/7774173

  10. XMPPFramework ios 例子中链接服务器失败,opnefire 服务器链接失败

    首先说下上周又做了几天得无用功, 之前一直用的是ejabberd ,这次换了opnefire,有人说opnefire跟新的xmpp协议不兼容,后来又更换成了ejabberd, Github 上得dem ...