msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

27 Nov 13 Setting-up Chroot for SSH and for SFTP

There are many ways to create Chroot for SSH here are 2 good links for that.
//www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
//www.howtoforge.com/chrooted_ssh_howto_debian

Note: Here some more info on the subject. The following article is based on an extract of the following site:
//www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze

Enabling chrooted SSH


Enabling chrooted SSH is a bit complicated because we must set up a chroot environment with all programs/tools (e.g. /bin/bash, /bin/cp, etc.) that the users should be able to use. This means we must also copy all libraries that these programs need to the chroot jail. You can do this manually with the cp command, and you can find out what libraries a tool needs by using the ldd command, e.g.
ldd /bin/bash
We also have to create some devices such as /dev/null, /dev/zero, /dev/tty, and /dev/urandom inside the chroot jail with the mknod command.
However, this can be a tedious task. Fortunately, there’s a script that can do this for us. Found at:
//www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
First, we need to install some prerequisites:
apt-get install sudo debianutils coreutils
Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root user:
cd /usr/local/sbin
wget //www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.

Enabling chrooted SFTP Only and disable SSH


Method 1


The following article has nothing to do with the above articles of Chroot for SSH.
Here is shown what you can do to make a user use SFTP only and disallow SSH usage for that user.
All you have to do is change the user’s login shell to /usr/lib/openssh/sftp-server.
usermod -s /usr/lib/openssh/sftp-server falko
/usr/lib/openssh/sftp-server must be listed in /etc/shells as a valid login shell,
so if it isn’t already listed, please add it to /etc/shells as follows:
echo '/usr/lib/openssh/sftp-server' >> /etc/shells
This above command has to be done only once, not for every user that you want to restrict to SFTP.
Afterwards, you can log in with an SFTP client, such as FileZilla or WinSCP, or for MAC Cyberduck .

Method 2


Create a user for SFTP without any shell:
adduser sftp
usermod -s /bin/false sftp

For chroot the user home directory must be owned by root and writable only by root
chown root:root /home/sftp
chmod 755 /home/sftp

The user should not be allowed to write in its chrooted home directory. So we create an upload sub-directory which belongs to the user.
mkdir /home/sftp/upload
chown sftp:sftp /home/sftp/upload

Adapting sshd Configuration
In /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Disable the following line with ‘#’
#Subsystem sftp /usr/lib/openssh/sftp-server
Add the following lines:
Match User sftp
ChrootDirectory /home/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

Restart SSHD Daemon:
/etc/init.d/sshd restart
Debugging:
tail -f /var/log/auth.log

Reader's Comments

  1.    

    Move up from winscp, Auto FTP Manager is one of the best SFTP client software. The clean interface is super easy to use. It will perform your files transfers quickly and efficiently. It also supports FXP for superfast server to server transfers. It is perfect for backups or synchronizing servers.
    //www.deskshare.com/ftp-client.aspx

    Reply to this comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: