Finally RedHat has stepped into the 21st century with the introduction of OpenSSH 5.3 in RHEL 6 / CentOS 6. Now we can finally build a working SFTP chroot jail within RedHat without having to build custom rpms or compile SSHd from source. This article will guide you through setting up SSHd and a couple of users into a completely jailed STFP environment.
First let’s discussed what we are trying to achieve. We are going to setup two users for web content uploads that will be locked into their respective /var/www/vhosts/%u directory structures. There are basically four steps to getting this setup.
- design the layout you want to use for the users
- setup the user and group accounts
- make changes to the sshd configuration
- do permissions cleanup and testing
Layout design
For this example we are setting up two users for website content updates. Each user will have a directory structure that will be tied to a domain. They can edit the files within that structure but can not see or edit anything outside that structure.
We will be setting up the two users – bob and ted, each will have a directory off /var/www/vhosts/ to managed their respective sites. We will create a group call ‘sftponly’ which will include both these users. These accounts will only have sftp access and will not have a working shell (ie standard SSH access).
Setup directory structure for users by adding the following directories as the user root.
/var/www/vhosts/bob/site1/
/var/www/vhosts/ted/site1/
Note how each user has a directory to match their user name, then a content directory (in this case named site1).
User and Group setup
First you will want to establish the sftponly group
# groupadd sftponly
Then create the users with the correct home directories and group
# useradd -d /var/www/vhosts/bob -s /bin/false -G sftponly bob
# useradd -d /var/www/vhosts/ted -s /bin/false -G sftponly ted
Don’t forget at this point to also add password to these new accounts.
SSHd configuration changes
Now we need to make changes in /etc/ssh/sshd_config to enable SFTP chroot jails in SSH.
Comment out the following line in /etc/ssh/sshd_config:
# Subsystem sftp /usr/lib/openssh/sftp-server
and replace it with this line:
Subsystem sftp internal-sftp
Then add the following set of lines to the very bottom of the file:
Match Group sftponly
ChrootDirectory /var/www/vhosts/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
This creates a special login group that then chroot jailed all users in that group into their own home directory.
Once these file changes are saved you will need to restart SSHd for the changes to take effect, using the following command:
# service sshd restart
Permissions cleanup and testing
Last issue to address is the permissions settings, for this example the directories /var/www/vhosts/bob and /var/www/vhosts/ted should both be owned by root. The directory /var/www/vhosts/ted/site1 should be owned by ted and the directory /var/www/vhosts/bob/site1 should be owned by bob.
You can then test by trying to SFTP login and see what can be done:
If done correctly you can not upload to any directory other than /site1
$ sftp [email protected]
[email protected]′s password:
Connected to 1.2.3.4.
sftp> pwd
Remote working directory: /
sftp> cd site1
sftp> put index.html
Uploading index.html to /site1/index.html
index.html 100% 0 0.0KB/s 00:00
sftp> ls
index.html
sftp> exit
Gotcha to watch for here is selinux. If all your permission are correct and you can still not write to the site1 folder then check selinux. I have to use ‘setenforce = 0′ to get this demo working.
You should now have two users that are completely jailed off from each other with limited abilities to do any damage to your server.
Enjoy
- Nomad