An attempt at demystifying the process of setting up sftp access to an EC2 instance on AWS, provisioning restricted access to folders (specifically webroots). This should also work on RHEL or most other UNIX flavours, with little changes. There's no claim to perfection however. All execution must be carefully done. Messing around with sshd_confi…

sftp-using-keypair-chroot-on-aws-ec2.md

The Not So Ultimate Guide To SFTP with AWS EC2

(RHEL, but easily adaptable on other *nix servers)

Desired folder structure

Domain #1

fbk.com

/var/www/vhosts/fbk.com/

/var/www/vhosts/fbk.com/httpdocs (webroot)

/var/www/vhosts/fbk.com/logs (weblogs - access and error)

Domain #2

twtr.com

/var/www/vhosts/twtr.com/

/var/www/vhosts/twtr.com/httpdocs (webroot)

/var/www/vhosts/twtr.com/logs (weblogs - access and error)

Per site virtual host conf (make for each domain)

Place in /etc/httpd/sites-enabled/fbk.com.conf

<VirtualHost *:80>
    ServerName fbk.com
    DocumentRoot /var/www/vhosts/fbk.com/httpdocs/

    <Directory /var/www/vhosts/fbk.com/httpdocs/>
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
        php_admin_value open_basedir  "/var/www/vhosts/fbk.com/httpdocs/:/tmp/:/"
    </Directory>

    ErrorLog /var/www/vhosts/fbk.com/logs/fbk.com-error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/www/vhosts/fbk.com/logs/fbk.com-access.log combined
</VirtualHost>

Place in /etc/httpd/sites-enabled/twtr.com.conf

-- same as above ---

Symlink in conf.d

ln -s /etc/httpd/sites-enabled/fbk.com.conf fbk.com.conf
ln -s /etc/httpd/sites-enabled/twtr.com.conf twtr.com.conf

Output of ls

lrwxrwxrwx 1 root root   42 May  6 13:38 fbk.com.conf -> /etc/httpd/sites-enabled/fbk.com.conf

lrwxrwxrwx 1 root root   42 May  6 13:38 twtr.com.conf -> /etc/httpd/sites-enabled/twtr.com.conf

Create user and home directory (also disables ssh console access)

adduser --shell=/bin/false -d /var/www/vhosts/fbk.com/ fbk_user

adduser --shell=/bin/false -d /var/www/vhosts/twtr.com/ twtr_user

Folder permissions (crucial for chroot to work)

chmod -R 755 /var/www/vhosts/
chown -R root:root /var/www/vhosts/

Folder permissions for each domain

chmod -R 775 /var/www/vhosts/fbk.com/httpdocs/
chown -R fbk_user:fbk_user /var/www/vhosts/fbk.com/httpdocs/

chmod -R 775 /var/www/vhosts/twtr.com/httpdocs/
chown -R twtr_user:fbk_user /var/www/vhosts/twtr.com/httpdocs/

SSH Key Generation

mkdir /var/www/vhosts/twtr.com/.ssh
cd .ssh

ssh-keygen -t rsa -f fbk_user

touch /var/www/vhosts/twtr.com/.ssh/authorized_keys

cat fbk_user.pub > authorized_keys

ssh-keygen -A

chmod go-w /var/www/vhosts/twtr.com/
chown -R fbk_user:fbk_user .ssh/
chmod 700 .ssh/
chmod 600 .ssh/authorized_keys

Save the key, as aws-keypair.pem (looks like this)

-----BEGIN RSA PRIVATE KEY-----
XVIIEpg………..FTTg5gghjYUUP
-----END RSA PRIVATE KEY-----

Repeat for twtr.com

Configure SSHD

sudo nano /etc/ssh/sshd_config

Uncomment

Subsystem sftp internal-sftp

Comment

Subsystem sftp /usr/lib/openssh/sftp-server"

Add

Match User fbk_user
ChrootDirectory /var/www/vhosts/fbk.com/
ForceCommand internal-sftp
X11Forwarding no
AllowTCPForwarding no

Note: chrooting misconfiguration can lock you out of your server.

sudo service sshd restart

Note on chroot ChrootDirectory (from the man pages) Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory

Connecting

Use Filezilla or Putty Import aws-keypair.pem Connect using

Host	Username	Protocol
fbk.com	fbk_user	SFTP
twtr.com	twtr_user	SFTP

References

Tutorial: Installing a LAMP Web Server on Amazon Linux