Greg

Creating an SFTP Unix Group with chroot Jailing

(resource: http://www.minstrel.org.uk/papers/sftp/builtin/)

tl;dr version (assuming you’re using OpenSSH):

  • useradd username
  • groupadd sftponly
  • usermod -a -G sftponly username
  • usermod -s /sbin/nologin username
  • usermod -d /path/to/jailed/dir username

modify /etc/ssh/sshd_config as follows:

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

Match Group sftponly
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
        X11Forwarding no
  • service sshd restart

All done. Now all users that are part of sftponly will be jailed to their home directory.


Now for the longer version:

The objective of jailing a user is to keep him from changing directories into a folder he doesn’t need access to. This is the case when you want to give SFTP access for someone using Dreamweaver who can edit a website’s files on your server without giving them access to your system files.

So what’s the concept behind what we’re doing? Well, we want to grant SFTP access, and ONLY SFTP access, while simultaneously disabling any shell login attempts through SSH itself. To older admins this was a nightmare, since you had to copy all that the user needed into his own accessible directories. Be glad this isn’t the case anymore!

So first thing is first, you create a user, specify his shell, and his home directory (which he will be jailed into):

useradd -s /sbin/nologin/ -d /path/to/home/dir username

Good. Now, assuming you haven’t made a group for SFTP users, let’s do that:

groupadd sftponly

Fantastic, not so hard. What comes next is adding the user we made into this group. Just in case he’s part of other groups, we’ll use the append flag:

usermod -a -G sftponly username

Alright, so we have our user set up. Next is making modifications to the SSH daemon config files. Don’t be afraid, it won’t affect anything until you restart the service. Open up the folder and let’s vim it (or nano or vi or whatever text processor you prefer):

cd /etc/ssh/
vim sshd_config

Now you should see, in pretty colors, something like this:

# override default of no subsystems
Subsystem      sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

If you don’t, I suggest you don’t continue, as your config file and/or paths are customized or were installed in different locations and you may need some extra help.

If you do, great, that just means it’s a copy-paste job for you. Turn that text from above into this (hit INSERT first, otherwise you’ll miss a few characters from the beginning of the text):

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

Match Group sftponly
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
        X11Forwarding no

Done? Great! So what did we change?

  1. We changed the subsystem for the SFTP protocol. This just means any SFTP clients will now use “internal-sftp” rather than the sftp-server protocol provided with openSSH.
  2. We established a Match rule, which will check each user logging in to see if they belong to the group “sftponly” before jailing them (ChrootDirectory) and forcing them to use only “internal-sftp” as their method of interaction. We also prevent them from forwarding ports and changing IP addresses so they can’t tinker with our valuables. Note that this match text should be placed at the BOTTOM of the file if it isn’t there already after the paste.

The last thing left to do is restart the SSH daemon (which takes about 3 seconds for those concerned about down time) so that the changes to the config file take effect. Assuming you don’t have a strange configuration on your server (like one of the servers here in our office did…) it should have restarted just fine and any users that you created that are attached to the sftponly group should be jailed to their home directories when accessing via SFTP and politely denied access to their shell via SSH.

… You’re welcome. >_>