Restrict SFTP to Home Folder

I had created a chrooted sftp account on centos 6 , but faced an issue that the user’s were not able put/delete as the sftp requires root:root ownership of chrooted directory. I fixed it by changing the chrooted direcotry to one step above of user’s home and set user’s home set to /. Below are the exact steps.

Prerequisites:  openssh version  >5.2

Notes :

  • chroot home directory is: /mnt/home
  • User home directory is ‘junedm’ relative to chroot home, i.e. /mnt/home
  • The chrooting is done based on Group
  • The chrooting group is sftponly , and all user’s should have that as group ( secondary group will also work)

Steps :

A] Add user , create chroot directory structure and fix permissions

  1. Create the chroot directory and make sure the permissions of each directory from / till chroot is 755 and owned by root:root
  • [root@ggvaapp07 ~]# mkdir -p /mnt/home
  • [root@tiber~]# ls -ld /mnt ; ls -ld /mnt/home
    drwxr-xr-x. 3 root root 4096 Jun 23 03:31 /mnt
    drwxr-xr-x 2 root root 4096 Jun 23 03:31 /mnt/home
  1. Add sftponly group.
  • [root@tiber ~]# groupadd sftponly
  1. Add user , with secondary group as sftponly
  • [root@tiber /]# useradd junedm -G sftponly
  • [root@tiber /]# id junedm
  • uid=503(junedm) gid=505(junedm) groups=505(junedm),504(sftponly)
  1. Change user’s home directory to /username ( this is very important otherwise you will not have put/delete permissions if you set that as /mnt/home/username) also set its shell to nologin so that he cannot ssh, only sftp
  • [root@tiber /]# usermod -d /junedm -s /sbin/nologin junedm
  • [root@tiber /]# cat /etc/passwd | grep juned
  • junedm:x:503:505::/junedm:/sbin/nologin
  1. Add users chrooted home directory and set the ownership is user:chrootgroup , also change permission to be 775
  • [root@tiber home]# chmod 775 /mnt/home/junedm ; chown junedm:sftponly /mnt/home/junedm -R
  • [root@tiber home]# ls -ld /mnt/home/junedm
  • drwxrwxr-x 2 junedm sftponly 4096 Jun 23 03:44 /mnt/home/junedm
  1. Create/change password for user
  • [root@ggvaapp07 /]# passwd junedm
  • Changing password for user junedm.
  • New password:
  • Retype new password:
  • passwd: all authentication tokens updated successfully.

B] Create sshd configuration for sftp setup. 

  1. Backup existing sshd_configuration

[root@tiber /]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

  1. comment out the Subsystem line in the configuration line

[root@tiber /]# grep Subsystem /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

  1. Add following block at the bottom of sshd_configuration file

###Added By Juned for chrooted sftp setup ##############

Subsystem sftp internal-sftp

Match Group sftponly

    ChrootDirectory        /mnt/home

    ForceCommand           internal-sftp -l VERBOSE

    GSSAPIAuthentication   no

    PasswordAuthentication yes

    PubkeyAuthentication   yes

     AllowAgentForwarding no

     AllowTcpForwarding no

     X11Forwarding no

#END

########################################################

  1. Restart sshd

[root@tiber /]# /etc/init.d/sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

[root@tiber /]#

  1. check log’s ( in case if you want to find whats happening )

[root@tiber /]# tail -f /var/log/secure

  1. Now connect from different machine using sftp and do get/put/delete operations,

[prod@james tmp]$ sftp junedm@tiber

Connecting to tiber…

junedm@tiber’s password:

sftp> put test.txt

Uploading test.txt to /junedm/test.txt

test.txt                                                                                                                             100%    0     0.0KB/s   00:00

sftp> ls -l

-rw-r–r–    1 503      505             0 Jun 23 10:57 test.txt

sftp> rm test.txt

Removing /junedm/test.txt

sftp> cd /

sftp> ls -l

drwxrwxr-x    2 503      504          4096 Jun 23 10:57 junedm

  1. Confirm ssh is not working

[prod@ggvaapp03 tmp]$ ssh junedm@tiber

junedm@tiber’s password:

This service allows sftp connections only.

Connection to tiber closed.