Skip to content

Instantly share code, notes, and snippets.

@jmenbo
Last active March 16, 2016 03:46
Show Gist options
  • Save jmenbo/bf5157ac01e9b3a0c3ba to your computer and use it in GitHub Desktop.
Save jmenbo/bf5157ac01e9b3a0c3ba to your computer and use it in GitHub Desktop.
Setup chrooted sftp access on Linux systems

Setup chrooted sftp access on Linux systems

Background

This setup allows users to upload files to a specific pre-assigned directory on a Linux server It has a few use-cases, but the context of these instructions is as a Web server where each account uploads files to a different web site on the server Access is given to the root of the web site structure from where a user full access to all folders and files below but is unable to navigate up

Prerequisites

Make sure you are running OpenSSH version greater than 4.8. CentOS/RHEL 6.x and up comes with version 5.3p1

Setup account and SSH

Create User Accounts

This creates a new user account with default home directory /path/towebfolder/newwebdirectory

$sudo useradd userA  -c "User's Description" -d /path/towebfolder/newwebdirectory/

Set the user's passwd

$sudo passwd userA

Restrict user access

This is an optional step, enable it only if you want to restrict who can ssh into the box If you enable this, you also need to add the following line to the /etc/ssh/sshd_config file

AllowGroups sshgroupname

Where sshgroupname is a group we previously created Add user to sshgroupname group

Remove terminal login access

Keep in mind that we are just creating an area where the user can upload web files, access to login to the server is not necessary

Edit /etc/passwd file, find the line with the username and change the following

/bin/bash

to

/sbin/nologin

Tell ssh where to jail the user

Add the block below to the /etc/ssh/sshd_config file

Make sure to use User for the Match parameter. Do not use Group. It does NOT jail the user/group

# UserA comments
Match User userA 
ChrootDirectory /path/towebfolder/newwebdirectory 
# Do not include htdocs in this path. It will lead to permissions errors.
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Reload sshd so that the above change take effect

$sudo service sshd reload

Web Folder Permissions

Create the htdocs web folder and set proper permissions

The top level home directory MUST be owned by root and must have 755 permissions

$cd /path/towebfolder/
$sudo chmod 755 newwebdirectory
$sudo chown root:root newwebdirectory/

Create htdocs folder and set proper permissions

The htdocs folder MUST be owned by the user and group the user belongs to

$cd newwebdirectory/
$sudo mkdir htdocs
$sudo chown userA:userA htdocs

NOTE:

At this point the user can upload files but there is no web site setup pointing to this new directory

Add Apache Virtual Host

Add an apache vhost section to /etc/httpd/conf.d/virtualhosts.conf where virtualhosts.conf is the file you use to define Vhosts I'm listing only the relevant line, you should know what else goes into the VirtualHost section

<VirtualHost *:80>
    ...
    DocumentRoot /home/httpd/newwebdirectory/htdocs
    ...
</VirtualHost>

restart apache

$sudo service httpd restart

OPTIONAL:

Copy web files to htdocs if migrating data from old website if necessary

Reset permissions on migrated files

$sudo chown -R userA:userA *

Known Client Issues

Some versions of Windows WinSCP client try to use scp by default instead of sftp So you have to explicitly configure WinSCP to use sftp

scp from the command line on linux or OSX won't work To use scp, the account you use needs to have a login shell, since the account we are creating does not have one, scp fails This is the same reason WinSCP does not work when it is set to use scp

Recommended Free Clients

OS Agnostic: FileZilla

Windows: WinSCP

References Used

http://v2.robbyt.com/2008/howto/chrooted-sftp-with-openssh-5/

http://ubuntuforums.org/showthread.php?t=858475

http://www.debian-administration.org/articles/590

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment