How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
1. Create a New Group
Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
# groupadd sftpusers
2. Create Users (or Modify Existing User)
Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.
The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
# passwd guestuser
Verify that the user got created properly.
# grep guestuser /etc/passwd
guestuser:x:500:500::/incoming:/sbin/nologin
If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:
# usermod -g sftpusers -d /incoming -s /sbin/nologin john
On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.
3. Setup sftp-server Subsystem in sshd_config
You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).
Modify the the /etc/ssh/sshd_config file and comment out the following line:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Next, add the following line to the /etc/ssh/sshd_config file
Subsystem sftp internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
4. Specify Chroot Directory for a Group
You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
# tail /etc/ssh/sshd_config
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
In the above:
- Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
- ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
- ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
5. Create sftp Home Directory
Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).
# mkdir /sftp
Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.
# mkdir /sftp/guestuser
So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.
So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.
# mkdir /sftp/guestuser/incoming
6. Setup Appropriate Permission
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.
Set the owenership to the user, and group to the sftpusers group as shown below.
# chown guestuser:sftpusers /sftp/guestuser/incoming
The permission will look like the following for the incoming directory.
# ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
The permission will look like the following for the /sftp/guestuser directory
# ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser # ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
7. Restart sshd and Test Chroot SFTP
Restart sshd:
# service sshd restart
Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.
# sftp guestuser@thegeekstuff.com
guestuser@thegeekstuff's password: sftp> pwd
Remote working directory: /incoming sftp> cd /
sftp> ls
incoming
When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.
Note: If you have encountered below error:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
Make sure the chroot directory (/sftp/guestuser) has to be owned by root
and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.
Use the following command:
chown root:root /sftp/guestuser
Implement Logging
1. Make syslog available in the chroot
Create a dev directory in each user’s chrooted directory:
# mkdir /sftp/guestuser/dev
The folder permission should be rwxr-xr-x.
2. Configure rsyslog to probe the new logging source
Put the following contents in /etc/rsyslog.conf :
# Create an additional socket for the sshd chrooted users.
$AddUnixListenSocket /sftp/guestuser/dev/log
3. Configure OpenSSH for logging
Modify the following contents in /etc/ssh/sshd_config:
Match Group sftpusers
ChrootDirectory /sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -f LOCAL7 -l INFO
4. Restart sshd and rsyslog Service
# service sshd restart
# service rsyslog restart
5. Verify file log
Log in to the SFTP server using comfort account
Verify log in /var/log/secure
How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)的更多相关文章
- 如何在Linux中使用sFTP上传或下载文件与文件夹
如何在Linux中使用sFTP上传或下载文件与文件夹 sFTP(安全文件传输程序)是一种安全的交互式文件传输程序,其工作方式与 FTP(文件传输协议)类似. 然而,sFTP 比 FTP 更安全;它通过 ...
- Linux命令之sftp - 安全文件传输命令行工具
用途说明 sftp命令可以通过ssh来上传和下载文件,是常用的文件传输工具,它的使用方式与ftp类似,但它使用ssh作为底层传输协议,所以安全性比ftp要好得多. 常用方式 格式:sftp <h ...
- linux如何搭建sftp服务器
工具/原料 centos7.2_x64 方法/步骤 创建sftp组 groupadd sftp 创建完成之后使用cat /etc/group命令组的信息 2 创建一个sftp用户mysft ...
- java通过sftp对linux服务器文件夹进行操作
本文主要讲sftp对linux服务器的文件和文件夹进行操作,windows server 服务器不支持. package com.lx.ftp; import java.io.File; import ...
- Linux 下创建 sftp 用户并限定目录
Linux 下创建 sftp 用户并限定目录 1.创建 sftpUser 用户组 [root@XXX ~]# groupadd sftpUser 2.创建 sftpUser 用户并指定目录 [root ...
- 我使用过的Linux命令之sftp - 安全文件传输命令行工具
用途说明 sftp命令可以通过ssh来上传和下载文件,是常用的文件传输工具,它的使用方式与ftp类似,但它使用ssh作为底层传输协议,所以安全性比ftp要好得多. 常用方式 格式:sftp <h ...
- linux 上搭建sftp服务
原文链接:https://www.cnblogs.com/yanduanduan/p/9046723.html sftp和ftp的区别 FTP是一种文件传输协议,一般是为了方便数据共享的.包括一个FT ...
- linux传输文件-sftp
SFTP sftp登陆远程服务器 sftp username@ip 例如:sftp mqadmin@10.10.1.150 然后输入password即可 put:上传文件 例如:put iosta ...
- Windows和linux虚拟机之间联网实现SSH远程连接以及VMware的3种网络模式[NAT、桥接和Host-only]
Windows和linux虚拟机之间联网实现SSH远程连接以及VMware的3种网络模式[NAT.桥接和Host-only] 作者:天齐 一.Windows和linux虚拟机之间联网实现SSH远程连接 ...
随机推荐
- JAVA的程序代码小细节,变量的使用,以及一些细节的面试题
package cn.hncu; public class LableDemo { public static void main(String[] args) { //demo1(); demo2( ...
- Linux下搭建Oracle11g RAC(8)----创建ASM磁盘组
以grid用户创建ASM磁盘组,创建的ASM磁盘组为下一步创建数据库提供存储. ① grid用户登录图形界面,执行asmca命令来创建磁盘组: ② 进入ASMCA配置界面后,单击Create,创建新的 ...
- Java基础知识强化之集合框架笔记56:Map集合之HashMap集合(HashMap<String,Student>)的案例
1. HashMap集合(HashMap<String,Student>)的案例 HashMap是最常用的Map集合,它的键值对在存储时要根据键的哈希码来确定值放在哪里. HashMap的 ...
- asp gridview批量删除和全选
本人新手刚学asp.net 全选和删除也是引用了他人的代码试了一试可以实现,感觉很好,就发了上来. 前台代码 <asp:GridView ID="GridView1" r ...
- css:nth-of-type()选择器用法
今天做一个页面,无意中看到这个nth-of-type感觉挺方便的,之前单双行有的有横线,有的无横线一般在html中单独再写border-right:none等之类的.现在发现这个好东西赶紧记录下来. ...
- 【STL】string 常用函数
string类的构造函数: string(const char *s); //用c字符串s初始化 string(int n,char c); //用n个字符c初始化 此外,string类还支持默认构造 ...
- 动态库DLL加载方式-静态加载和动态加载
静态加载: 如果你有a.dll和a.lib,两个文件都有的话可以用静态加载的方式: message函数的声明你应该知道吧,把它的声明和下面的语句写到一个头文件中 #pragma comment(lib ...
- 使用DataList 分页方法
什么是DataList我想应该不需要解释了,接下来分享本人在项目里使用到的通过DataList进行分页展示方法. 首先在ASPX页面添加一个DataList(后面都简称DL)控件,示例代码如下: &l ...
- spring配置文件中属性mappingLocations、mappingDirectoryLocations
http://blog.csdn.net/vacblog/article/details/7774173
- XMPPFramework ios 例子中链接服务器失败,opnefire 服务器链接失败
首先说下上周又做了几天得无用功, 之前一直用的是ejabberd ,这次换了opnefire,有人说opnefire跟新的xmpp协议不兼容,后来又更换成了ejabberd, Github 上得dem ...