search

How do I restrict SFTP users to their home directory?

Ngày đăng: 15/12/2022
Trả lời: 0
Lượt xem: 55

I often have to share resources with clients,  but allowing them to “play” with the entire file system of the web app, might end up in disaster.

Show

That’s why I decided to write this little guide on how to restrict SFTP users to their home directory and share folders.

RESTRICT SFTP ACCESS TO HOME DIRECTORY

First, we need to modify the sshd_config file which contains all the ssh configurations.

sudo nano /etc/ssh/sshd_config

Make sure the following line is enabled, otherwise add it yourself.

Subsystem sftp internal-sftp  -f AUTH -l VERBOSE


On DigitalOcean I had the following line, which I replaced.

Subsystem sftp /usr/lib/openssh/sftp-server

At the end of the file, add the following, make sure that the /home/myuser folder is owned by root.

This configuration will block the user to ssh connect to the server and restrict her to the home directory myuser.

Match User myuser
       ChrootDirectory /home/myuser
       ForceCommand internal-sftp
       AllowTcpForwarding no
       X11Forwarding no


Now we just need to restart the ssh service

sudo service ssh restart

Normally we would use the ln -s command to do a symlink but when using chroot to restrict access to the home directory, that command won’t work.

Luckily the mount command comes in our help, using the option bind  we are able to link the resource (/var/www/myfolder/var) into the user home directory in the folder import.

cd /home/myuser
mount -o bind /var/www/myfolder/var/import import


Please note that if you reboot the server, you will have to re-run this command.

I hope this article will help all of you that are trying to achieve the same with your lovely clients.

Move to user1 directory and now you have access to create files or folders. If you try to access any other directories, error occurs.

sftp>  cd user1
sftp>  cd /root
Couldn' t canonicalise: No such file or directory

2. Restricting SFTP Users to a Specific Directory

In ssh configuration file, change the " ChrootDirectory" to any other directory that you want to restrict. Here, we are restricting /project/files.

[[email protected] ~]# usermod -G group1 user1
0

Create the directory, as we mentioned in the ssh configuration file.

[[email protected] ~]# usermod -G group1 user1
1

Now restart sshd service to bring the changes into effect.

[[email protected] ~]# systemctl restart sshd
OR
[[email protected] ~]# service sshd restart

Q

How to restrict multiple users to their own home directories

A

Change the /home to whichever directory you need the user should restricted to. Eg: ChrootDirectory /home/

Q

rsync error: protocol incompatibility (code 2) at /SourceCache/rsync/rsync-42/rsync/compat.c(61) [receiver=2.6.9] Any ideas? Thanks

A

I think its due to different versions of rsync installed on servers, make sure you have same version of rsync or may be different flavors of Linux distros used here, you need to check..

Q

Thanks for the article. I’m learning about SFTP now and was curious and wanted to know how to CHROOT its users from Centos 7.

A

You’re better of creating a SFTP root as /home/sftproot and then putting your SFTP users home directories under /home/sftproot/home. Then when that user logs in they’ll automatically get put

Q

is there any sftp command to use encrytion

A

follow this link : https://www.linuxhelp.com/sftp-command-transfer-encrypted-files/

Q

I meant I can not reach my odoo server locally anymore?

A

If you remove the 127.0.0.1 part and restart the server you will be able to run it locally on port 8069.

In this article I will share step by step guide on how to configure sftp server in Linux with examples covering the below topics in detail:

  • Install sftp on Linux
  • Configure sftp chroot
  • Create sftp user/Create sftp group
  • sftp restrict user to specific directory
  • sftp chroot multiple directories

sftp is a file transfer program, similar to ftp, which performs all operations over an encrypted ssh transport. It may also use many features of ssh, such as public key authentication and compression.

Advertisement

 

Lab Environment

I have created two Virtual Machines with CentOS 8 on Oracle VirtualBox in Linux server. I will use these two Virtual Machines to configure and verify sftp restrict user to specific directory and sftp chroot multiple directories with examples. Most of the steps from this article should also work on other Linux distributions such as SuSE, Ubuntu etc, if you face any issues do let me know using the comment section from this page.

We will configure sftp chroot jail on 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 and use 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7 to connect to 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 using sftp user 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9

 server1server2Hostnameserver1.example.comserver2.example.comIP Address10.10.10.1410.10.10.13Setup SFTPas client
(which initiates sftp connection)as server
(sftp server)OSCentOS 8CentOS 8

ALSO READ: SOLVED: SSH fails with postponed publickey error

 

Step 1: Install sftp on Linux

On most Linux distributions 

[root@server2 ~]# usermod --shell /bin/false deepak
0 should be installed by default. On RHEL/CentOS 7 and 8 Linux you can use yum or dnf to install sftp which is provided as part of 
[root@server2 ~]# usermod --shell /bin/false deepak
1 rpm in RHEL/CentOS distro.

HINT:

Based on distribution 

[root@server2 ~]# usermod --shell /bin/false deepak
0 may part of a different rpm, please check your distribution to install 
[root@server2 ~]# usermod --shell /bin/false deepak
0

[root@server1 ~]# which sftp
/usr/bin/sftp

 

Step 2: Create SFTP User

I will create sftp user (

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9) for sftp restrict user to specific directory in Linux on 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6.

To create sftp user "

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9", use below command. Here we use 
[root@server2 ~]# usermod --shell /bin/false deepak
7 to also create user's home directory.

Advertisement

[root@server2 ~]# useradd -m deepak

Check user details:

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)

The user's home directory is owned by 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9 with 700 permission so that no other user (other than root) can access this directory.

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/

Assign password to sftp user deepak:

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Change the shell of the sftp user to 

[root@server2 ~]# usermod --shell /bin/false deepak
9 instead of 
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
0. Without a valid shell the sftp user will not be allowed to login.

[root@server2 ~]# usermod --shell /bin/false deepak

Verify the user 

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
1 properties

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false

HINT:

We could have also used 

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
2 to create sftp user without valid shell in a single command

 

Step 3: Create SFTP Group (Optional)

In this article to demonstrate sftp restrict user to specific directory, I will use sftp user instead of sftp group. But if you have a requirement to implement group level sftp chroot jail then you can also create sftp group using below steps:

[root@server2 ~]# groupadd sftpusers   <-- Here group name is "sftpusers"

Add your user to this sftpusers group

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"

ALSO READ:

How to add user to group or remove user from group (primary and secondary group)

Now you can use this group "

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
3" for sftp restrict user to specific directory.

ALSO READ: How to create or configure NIC Teaming using nmcli (CentOS / RHEL 7/8)

 

Step 4: Configure SFTP chroot jail

To configure SFTP chroot jail we will modify 

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
4

[root@server2 ~]# vim /etc/ssh/sshd_config

#Comment sftp-server SubSystem and use internal-sftp
#Subsystem       sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

#Add this section to match for user "deepak"
Match user deepak
        ChrootDirectory /opt/sftp-jails/deepak    <-- Our sftp chroot jail directory
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
        AllowAgentForwarding no
        ForceCommand internal-sftp

HINT:

If you wish to configure sftp chroot jail for "

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
5" then replace 
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
6 with 
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
7. Remaining section can be used as provided. Also verify that in the same config file OpenSSH is configured to use the 
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
8 subsystem:

Here,

[root@server2 ~]# useradd -m deepak
0

 

Advertisement

Why we use internal-sftp instead of sftp-server for ChrootDirectory?

Collected from: OpenSSH: Difference between internal-sftp and sftp-server

  • Both 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    9 and 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    8 are part of OpenSSH. 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    9 is a standalone binary.
  • [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    8 is just a configuration keyword that tells sshd to use SFTP server code built-into sshd, instead of running another process (typically the 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    9).
  • [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    9 is now redundant and is kept for a backward compatibility.
  • The main advantage of 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    8 is, that it requires no support files when used with 
    [root@server2 ~]# groupadd sftpusers   <-- Here group name is "sftpusers"
    6 directive.
  • Administrator may rely on a login shell configuration to prevent certain users from logging in.
  • Switching to the 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    8 would bypass the restriction, as the login shell is no longer involved.
  • Using 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    9 binary (being a standalone process) you can use some hacks, like running the SFTP under sudo.
  • For SSH-1 (if anyone is still using it), Subsystem directive is not involved at all.
  • An SFTP client using SSH-1 tells the server explicitly, what binary the server should run. So legacy SSH-1 SFTP clients have 
    [root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
    9 name hard-coded.

ALSO READ: Encode message in image with Steganography [Step-by-Step]

Next restart sshd service to activate sftp chroot jail configuration.

[root@server2 ~]# useradd -m deepak
1

 

Step 5: SFTP restrict user to specific directory (with password authentication)

Step 5.1: Create sftp chroot jail directories

If you wish to sftp restrict user home directory then you can ignore these steps and only use 

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
0 as chroot jail. But to cover sftp restrict user to specific directory, we need a directory structure.

In this article we will implement 

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
1 jail on 
[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
2.

[root@server2 ~]# useradd -m deepak
2

 

Step 5.2: Assign permissions on chroot jail directories

HINT:

The permissions you assign to sftp chroot directory may vary based on your requirement. The below is just for your reference to do a POC (Proof of Concept) on sftp restrict user to specific directory. You may get "

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
3" error in 
[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
4 of the permissions on sftp chroot jail directories are not configured properly.

Our sftp user 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9 will login to 
[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
6 using sftp

Advertisement

[root@server2 ~]# useradd -m deepak
3

It is mandatory to have the user and group owner set to root:root with 755 permission for the chroot directory provided in 

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
4. If you set any other permission, then chroot jail will fail.

ALSO READ: Configure secure logging with rsyslog TLS to remote log server (CentOS/RHEL 7)

From the man page https://man.openbsd.org/sshd_config

ChrootDirectory Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.

User will have no write permission on 

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
6. There is another directory "
[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
9" under 
[root@server2 ~]# vim /etc/ssh/sshd_config

#Comment sftp-server SubSystem and use internal-sftp
#Subsystem       sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

#Add this section to match for user "deepak"
Match user deepak
        ChrootDirectory /opt/sftp-jails/deepak    <-- Our sftp chroot jail directory
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
        AllowAgentForwarding no
        ForceCommand internal-sftp
0 where sftp user will perform write operation.

[root@server2 ~]# useradd -m deepak
4

As you see the user directory is owned by root with 755 permission to allow user 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9 to login and sftp restrict user to specific directory 
[root@server2 ~]# vim /etc/ssh/sshd_config

#Comment sftp-server SubSystem and use internal-sftp
#Subsystem       sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

#Add this section to match for user "deepak"
Match user deepak
        ChrootDirectory /opt/sftp-jails/deepak    <-- Our sftp chroot jail directory
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
        AllowAgentForwarding no
        ForceCommand internal-sftp
2

We will change user owner to 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9 to allow him write in this sftp chroot jail directory

[root@server2 ~]# useradd -m deepak
5

Also change the permission to 750 to restrict others from writing in this 

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
9 directory

Advertisement

[root@server2 ~]# useradd -m deepak
6

Verify the permission:

[root@server2 ~]# useradd -m deepak
7

Below is the tree structure of the directories we have created to configure sftp restrict user to specific directory

[root@server2 ~]# useradd -m deepak
8

 

Step 5.3: Verify SSH and SFTP connectivity and permissions

Since we have blocked ssh access for our sftp user 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9, from 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7, first we try to do SSH to 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 using 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9 user to make sure this configuration is working as expected.

[root@server2 ~]# useradd -m deepak
9

As expected we are getting "

[root@server2 ~]# vim /etc/ssh/sshd_config

#Comment sftp-server SubSystem and use internal-sftp
#Subsystem       sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

#Add this section to match for user "deepak"
Match user deepak
        ChrootDirectory /opt/sftp-jails/deepak    <-- Our sftp chroot jail directory
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
        AllowAgentForwarding no
        ForceCommand internal-sftp
9".

ALSO READ: How to download rpm package and all dependencies (RHEL / CentOS 7)

 

Step 5.4: Assign SFTP umask (Optional but Important)

Most of us miss the umask configuration while setting up SFTP and this can become a big issue later and hard to debug. By default SFTP follows the umask of the server node for any PUT operation. So for example you are trying to upload a file with permission 644 on the source client while the SFTP server has umask 027. Once you perform PUT operation to this SFTP server, the file permission will automatically become 640 due to umask 027.

Advertisement

So, umask will trim down any additional permission from the files uploaded to the SFTP server.

If you wish to provide a custom umask for SFTP PUT operation then modify

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
0

TO

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
1

For Example to use sftp umask of 022 we can add:

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
2

Restart sshd service to activate the changes.

Now any file uploaded will have atleast 644 permission.

HINT:

You have to understand one more thing, if the source file permission is 640 then setting umask to 022 will not add additional read permission to others. umask is used only to trim down additional permission. So you have to make sure that the file permission for the files to be uploaded on SFTP server is inline to your requirement.

 

ALSO READ: Limit CPU with cgroups & slice in Linux [100% Working]

How to fix packet_write_wait: Connection to X.X.X.X port 22: Broken pipe?

It is possible that if your configuration has some issues, you will get "

[root@server2 ~]# useradd -m deepak
00" error instead of "
[root@server2 ~]# vim /etc/ssh/sshd_config

#Comment sftp-server SubSystem and use internal-sftp
#Subsystem       sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

#Add this section to match for user "deepak"
Match user deepak
        ChrootDirectory /opt/sftp-jails/deepak    <-- Our sftp chroot jail directory
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
        AllowAgentForwarding no
        ForceCommand internal-sftp
9."

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
3

Now this error does not gives much detail of the underlying problem but this is seen mostly due to permission issues.

So in such case we must check 

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
4 on server node which you are trying to connect which for us is 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6. We will use journalctl to analyse the error "
[root@server2 ~]# useradd -m deepak
00"

Using 

[root@server2 ~]# useradd -m deepak
05 I found error "
[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
3"

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
4

Now this error "

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
3" itself tells you that the permission on your chroot directory provided under 
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
4 is incorrect.

From the man page of sshd_config for 

[root@server2 ~]# groupadd sftpusers   <-- Here group name is "sftpusers"
6, All components of the pathname must be root-owned directories that are not writable by any other user or group

So you can validate the permission you have provided for your chroot directory to fix "

[root@server2 ~]# usermod --gid sftpusers deepak  <-- Adding user "deepak" to group "sftpusers"
3" and re-attempt the ssh.

 

Next attempt SFTP communication from 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7 to 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 using 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9 user

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
5

 

ALSO READ: How to install Caine 11.0 VM [Step-by-Step]

Step 6: Setup passwordless sftp authorized_keys

In the above example we configured sftp restrict user to specific directory where user authenticates itself using password. You may face issues when you try to use sftp chroot jail in script to automate some tasks as every time sftp communication will prompt for user password.

In this example we will setup passwordless sftp authorized_keys between our servers to sftp restrict user to specific directory.

 

Step 6.1: Create sftp authorized_keys file

On 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 create sftp 
[root@server2 ~]# useradd -m deepak
15 file which will store the public key content from 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7. Here I have created a hidden folder 
[root@server2 ~]# useradd -m deepak
17 inside which I will create 
[root@server2 ~]# useradd -m deepak
15 file

HINT:

You can use any path to create your sftp 

[root@server2 ~]# useradd -m deepak
15 file, but make sure this file is accessible by your sftp user.

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
6

Create a hidden directory 

[root@server2 ~]# useradd -m deepak
17 where we will store our sftp 
[root@server2 ~]# useradd -m deepak
15 file

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
7

The .ssh directory must be owned by 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
9 user and must not be accessible by world

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
8

Create sftp 

[root@server2 ~]# useradd -m deepak
15 file

[root@server2 ~]# id deepak
uid=1003(deepak) gid=1003(deepak) groups=1003(deepak)
9

Change ownership and permission of this file

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
0

Verify the permissions:

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
1

 

ALSO READ: Show NFS shares | List NFS mount points | List NFS clients Linux

Step 6.2: Generate SSH key pair to setup passwordless sftp

We are creating key pair using root user without using any password to sftp restrict user to specific directory. The private public key pair will be created under the home folder of root user inside 

[root@server2 ~]# useradd -m deepak
24

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
2

Copy the content of your public key 

[root@server2 ~]# useradd -m deepak
25 to 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 and place it in 
[root@server2 ~]# useradd -m deepak
27 which we created under Create sftp authorized_keys file. Below as you see I have appended my 
[root@server2 ~]# useradd -m deepak
25 content to 
[root@server2 ~]# useradd -m deepak
27

ALSO READ:

How login to Linux server works without password (with private and public key pair)?

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
3

 

Step 6.3: Setup sftp chroot jail with authorized_keys

In your existing sftp chroot jail configuration of 

[root@server2 ~]# useradd -m deepak
30, we will add one more line as highlighted with the location of sftp 
[root@server2 ~]# useradd -m deepak
15

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
4

Restart sshd service to activate the sftp 

[root@server2 ~]# useradd -m deepak
15 changes

[root@server2 ~]# useradd -m deepak
1

Below is a tree structure of our sftp chroot jail directory with all the permissions:

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
6

 

Step 6.4: Verify SFTP connectivity and permissions

Perform sftp connection from 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7 to 
[root@server2 ~]# useradd -m deepak
34

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
7

So our passwordless sftp 

[root@server2 ~]# useradd -m deepak
15 configuration is successful and is working as expected.

 

Step 7: Setup SSH client for passwordless sftp

By default when you do sftp, the tool looks under the home folder of the user for any available passphrase to perform passwordless sftp. In our case since the private key exists inside root's home folder the SFTP passwordless worked flawlessly.

ALSO READ: Windows Subsystem for Linux (WSL2) on Windows 10 (Step-by-Step)

But if you attempt to use any other user for sftp passwordless connection then it would fail. Below I try to do sftp using 

[root@server2 ~]# useradd -m deepak
36 user on 
[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
8

As you see the sftp communication is prompting for password and passwordless sftp authorized_keys is not working.

To overcome this restriction for sftp restrict user to specific directory without password we have two solutions:

 

Solution 1: Perform passowrdless sftp with private key

You must define the private key you want to use for performing sftp communication to perform passwordless sftp. For example:

I will copy the private key I generated under a path which is accessible by user 

[root@server2 ~]# useradd -m deepak
36

I created a temporary directory 

[root@server2 ~]# useradd -m deepak
39 which will be accessible by all the users

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
9

Copy the private key from to this location and make it readable by all users of 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
0

Next attempt to perform passwordless sftp to 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
1

 

Solution 2: Create ssh config file for individual user

We can also create a local ssh config file for individual user of the node to perform passwordless sftp to 

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 using sftp 
[root@server2 ~]# useradd -m deepak
43.
To achieve this we will create a config file under the home folder of 
[root@server2 ~]# useradd -m deepak
36 user (
[root@server2 ~]# useradd -m deepak
45), inside .
[root@server2 ~]# useradd -m deepak
46 directory

You can check the permissions and ownership I have assigned for all the files and directories under 

[root@server2 ~]# useradd -m deepak
47 home folder:

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
2

Below is the content of 

[root@server2 ~]# useradd -m deepak
48, which you can modify based on your requirement to perform passwordless sftp. I have copied the private key inside 
[root@server2 ~]# useradd -m deepak
45 which we created earlier.

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
3

Next verify the passwordless sftp communication

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
4

 

ALSO READ: 4 different MITM Attacks with Xerosploit [Step-by-Step]

Step 8: SFTP chroot multiple directories

Similar to the 

[root@server2 ~]# useradd -m deepak
30 configuration file from sftp restrict user to specific directory, we will add more templates with match block for any number of users or groups to implement sftp chroot jail for multiple directories in Linux.

For example in the below configuration from 

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
4, we do sftp chroot multiple directories for different users and groups

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
5

All other steps from this article would be the same to sftp chroot multiple directories, you just have to take care of user and group permission on individual sftp chroot jail directories

 

Lastly I hope the steps from the article to configure sftp and setup sftp restrict user to specific directory, sftp chroot multiple directories on RHEL/CentOS 7/8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Related Searches: could not chdir to home directory, configure sftp centos, sftp user permissions, sctp chroot tutorial, how to configure sftp server in linux step by step, create linux user with limited access to one folder only, sftp server linux redhat

How to set SFTP home directory?

The home directory of the SFTP user must be owned by root:root ..
Install Cyberduck®..
Open the Cyberduck application..
At the top of the window, click the icon for Open Connection..
In the drop-down menu, select SFTP (SSH File Transfer Protocol)..

How to configure an SFTP server with restricted chroot users with SSH keys?

Client setup for password-less login.
Copy the ssh key from the client to the server (The user does not have to exist on the client) [clientuser@client ~]$ ssh-copy-id user1@server..
Verify the ssh key works correctly from the client. ... .
Verify that your sftp connection works without a password prompt..

How to chroot a SFTP user?

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH).
Create a New Group. Create a group called sftpusers. ... .
Create Users (or Modify Existing User) ... .
Setup sftp-server Subsystem in sshd_config. ... .
Specify Chroot Directory for a Group. ... .
Create sftp Home Directory. ... .
Setup Appropriate Permission. ... .
Restart sshd and Test Chroot SFTP..

How to check SFTP configuration in Linux?

Guide for Setting up SFTP Server in Linux.
Step 1: Create Groups, Users, Directories..
Step 2: Configure sshd_config..
Step 3: Restart the service..

ChrootDirectory %h SFTP config Ssh chroot Sftp home directory

Bài Viết Liên Quan

Chủ tịch hội đòng nhân dân tiếng trung là gì năm 2024
Chủ tịch hội đòng nhân dân tiếng trung là gì năm 2024

là ai Hỏi Đáp Là gì Học Tốt Tiếng trung
Chứng minh nhân dân 020 là của tỉnh nào năm 2024
Chứng minh nhân dân 020 là của tỉnh nào năm 2024

mẹo hay
Làm thế nào để sử dụng 2 màn hình năm 2024
Làm thế nào để sử dụng 2 màn hình năm 2024

mẹo hay Hỏi Đáp Thế nào Công Nghệ Màn hình
Phần mềm segurazo real time protection lite là gì năm 2024
Phần mềm segurazo real time protection lite là gì năm 2024

là ai Hỏi Đáp Là gì
Cách hóa giải hướng nhà xấu tuổi đinh mùi 1967 năm 2024
Cách hóa giải hướng nhà xấu tuổi đinh mùi 1967 năm 2024

mẹo hay Mẹo Hay Cách Xây Đựng Nhà
Bạn dang ở giai doạn nào trong trading traderviet năm 2024
Bạn dang ở giai doạn nào trong trading traderviet năm 2024

mẹo hay
Bài kiểm tra tra môn văn 8 học kỳ 2 năm 2024
Bài kiểm tra tra môn văn 8 học kỳ 2 năm 2024

mẹo hay Học Tốt Học
Học sinh tiểu học trong tiếng anh là gì năm 2024
Học sinh tiểu học trong tiếng anh là gì năm 2024

là ai Hỏi Đáp Là gì Học Tốt Học Tiếng anh
Chiến lược giải toán qua các chuyên đề pdf năm 2024
Chiến lược giải toán qua các chuyên đề pdf năm 2024

mẹo hay
Lỗi import of the 3d model failed trong pvsol năm 2024
Lỗi import of the 3d model failed trong pvsol năm 2024

mẹo hay
Incompatible types in assignment of char to char là gì năm 2024
Incompatible types in assignment of char to char là gì năm 2024

là ai Hỏi Đáp Là gì
Top kem dưỡng phục hồi da sau mụn năm 2024
Top kem dưỡng phục hồi da sau mụn năm 2024

mẹo hay Top List Top
Chương trình học kì 2 toán lớp 5 năm 2024
Chương trình học kì 2 toán lớp 5 năm 2024

mẹo hay Học Tốt Học
Chất lượng theo tiêu chuẩn iso là gì năm 2024
Chất lượng theo tiêu chuẩn iso là gì năm 2024

là ai Hỏi Đáp Là gì Iso là gì
Rộng lượng thứ thacho người có lỗi là từ gì năm 2024
Rộng lượng thứ thacho người có lỗi là từ gì năm 2024

mẹo hay
Top 3 mẫu áo sơ mi váy đôi đẹp 2023 năm 2024
Top 3 mẫu áo sơ mi váy đôi đẹp 2023 năm 2024

mẹo hay Khỏe Đẹp Đẹp Váy Top List Top
Tính chất của mối liên hệ phổ biến là gì năm 2024
Tính chất của mối liên hệ phổ biến là gì năm 2024

là ai Hỏi Đáp Là gì
Bài toán hiệu và tỉ số lớp 4 năm 2024
Bài toán hiệu và tỉ số lớp 4 năm 2024

mẹo hay
Giải bài tập gdcd bài 9 lớp 7 năm 2024
Giải bài tập gdcd bài 9 lớp 7 năm 2024

mẹo hay Khỏe Đẹp Bài tập
Host process for windows services windows 10 là gì năm 2024
Host process for windows services windows 10 là gì năm 2024

là ai Hỏi Đáp Là gì

Quảng Cáo

Có thể bạn quan tâm

Cách lập mã đối tượng trong hóa đơn điện tử năm 2024
2 ngày trước . bởi PracticableRelaxation
Nhiệt độ trung bình tháng 8 của hà nội năm 2024
2 ngày trước . bởi SlackVampire
Trung tá quân đội lương bao nhiêu năm 2024
2 ngày trước . bởi RetrospectiveRubbing
Sinh viên trong tiếng anh đọc là gì năm 2024
2 ngày trước . bởi MiserableExamination
Top điện thoại chơi game tốt nhất hiện nay năm 2024
2 ngày trước . bởi BemusedSimulation
Kiểm tra gọi 1 phút mất bao nhiêu tiền mobifone năm 2024
2 ngày trước . bởi CommonplacePoster
Bài văn nghị luận xã hội lớp 10 năm 2024
2 ngày trước . bởi UnencumberedSelf-respect
Có 1 năm kinh nghiêm tieensng anh là gì năm 2024
2 ngày trước . bởi PicturesqueEarnestness
Chuyên viên kế toán dich vụ phụ tùng năm 2024
2 ngày trước . bởi TurquoiseAuthority
Comfort nước hoa thiên nhiên giá bao nhiêu năm 2024
2 ngày trước . bởi AsceticPolling

Toplist được quan tâm

#1
Top 2 bài tập mạch chỉnh lưu bán kỳ 2023
5 tháng trước
#2
Top 9 thuốc tẩy quần áo có độc không 2023
5 tháng trước
#3
Top 9 hợp đồng mua bán xe ô to giữa công ty và công ty 2023
5 tháng trước
#4
Top 9 số electron trong các nguyên tử sau đây lần lượt là 2023
5 tháng trước
#5
Top 7 những tấm gương thất bại là mẹ thành công ở việt nam thời xưa 2023
5 tháng trước
#6
Top 7 lời bài hát mưa trên cuộc tình tiếng hoa 2023
5 tháng trước
#7
Top 8 toán 8 bài 4 luyện tập trang 16 2023
5 tháng trước
#8
Top 8 lịch sử trái đất chia thành các đại theo thời gian từ trước đên nay là 2023
5 tháng trước
#9
Top 10 trẻ sơ sinh 14 tuần tuổi biết làm gì 2023
5 tháng trước

Quảng cáo

Xem Nhiều

Một kg sắt phi 6 dài bao nhiêu mét năm 2024
6 ngày trước . bởi ShutArtistry
Ngày 25 tháng 9 năm 2023 là ngày gì năm 2024
6 ngày trước . bởi DerelictAdultery
Đường hồ nghinh đà nẵng thuộc phường nào năm 2024
1 tuần trước . bởi AlliedHeadquarters
Cây phong lộc hoa có tên khác là gì năm 2024
1 tuần trước . bởi BoiledCabal
Dragon ball xenoverse 2 mod lỗi không vào được game năm 2024
1 tuần trước . bởi WitheredBiology
Khởi động không cháy đèn bàn phím là lỗi gì năm 2024
2 ngày trước . bởi ConnectedHappiness
Vốn điều lệ ngân hàng là gì năm 2024
1 tuần trước . bởi WinsomeDishonesty
Bài giảng dạy thêm điện tử toán 8 năm 2024
5 ngày trước . bởi InterdependentFragmentation
Hoa hồng văn khôi giá bao nhiêu năm 2024
5 ngày trước . bởi IngeniousHeath
Comfort nước hoa thiên nhiên giá bao nhiêu năm 2024
2 ngày trước . bởi AsceticPolling

Quảng cáo

Chúng tôi

Điều khoản

Trợ giúp

Mạng xã hội

DMCA.com Protection Status
Bản quyền © 2021 moiday.com Inc.