I often have to share resources with clients, but allowing them to “play” with the entire file system of the web app, might end up in disaster.
That’s why I decided to write this little guide on how to restrict SFTP users to their home directory and share folders.
RESTRICT SFTP ACCESS TO HOME DIRECTORY
First, we need to modify the sshd_config file which contains all the ssh configurations.
sudo nano /etc/ssh/sshd_config
Make sure the following line is enabled, otherwise add it yourself.
Subsystem sftp internal-sftp -f AUTH -l VERBOSE
On DigitalOcean I had the following line, which I replaced.
Subsystem sftp /usr/lib/openssh/sftp-server
At the end of the file, add the following, make sure that the /home/myuser folder is owned by root.
This configuration will block the user to ssh connect to the server and restrict her to the home directory myuser.
Match User myuser ChrootDirectory /home/myuser ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Now we just need to restart the ssh service
sudo service ssh restart
Normally we would use the ln -s command to do a symlink but when using chroot to restrict access to the home directory, that command won’t work.
Luckily the mount command comes in our help, using the option bind we are able to link the resource [/var/www/myfolder/var] into the user home directory in the folder import.
cd /home/myuser mount -o bind /var/www/myfolder/var/import import
Please note that if you reboot the server, you will have to re-run this command.
I hope this article will help all of you that are trying to achieve the same with your lovely clients.
Move to user1 directory and now you have access to create files or folders. If you try to access any other directories, error occurs.
sftp> cd user1 sftp> cd /root Couldn' t canonicalise: No such file or directory
2. Restricting SFTP Users to a Specific Directory
In ssh configuration file, change the " ChrootDirectory" to any other directory that you want to restrict. Here, we are restricting /project/files.
[[email protected] ~]# usermod -G group1 user1
0Create the directory, as we mentioned in the ssh configuration file.
[[email protected] ~]# usermod -G group1 user1
1Now restart sshd service to bring the changes into effect.
[[email protected] ~]# systemctl restart sshd OR [[email protected] ~]# service sshd restart
Q
How to restrict multiple users to their own home directories
A
Change the /home to whichever directory you need the user should restricted to. Eg: ChrootDirectory /home/
Q
rsync error: protocol incompatibility [code 2] at /SourceCache/rsync/rsync-42/rsync/compat.c[61] [receiver=2.6.9] Any ideas? Thanks
A
I think its due to different versions of rsync installed on servers, make sure you have same version of rsync or may be different flavors of Linux distros used here, you need to check..
Q
Thanks for the article. I’m learning about SFTP now and was curious and wanted to know how to CHROOT its users from Centos 7.
A
You’re better of creating a SFTP root as /home/sftproot and then putting your SFTP users home directories under /home/sftproot/home. Then when that user logs in they’ll automatically get put
Q
is there any sftp command to use encrytion
A
follow this link : //www.linuxhelp.com/sftp-command-transfer-encrypted-files/
Q
I meant I can not reach my odoo server locally anymore?
A
If you remove the 127.0.0.1 part and restart the server you will be able to run it locally on port 8069.
In this article I will share step by step guide on how to configure sftp server in Linux with examples covering the below topics in detail:
- Install sftp on Linux
- Configure sftp chroot
- Create sftp user/Create sftp group
- sftp restrict user to specific directory
- sftp chroot multiple directories
sftp is a file transfer program, similar to ftp, which performs all operations over an encrypted ssh transport. It may also use many features of ssh, such as public key authentication and compression.
Advertisement
Lab Environment
I have created two Virtual Machines with CentOS 8 on Oracle VirtualBox in Linux server. I will use these two Virtual Machines to configure and verify sftp restrict user to specific directory and sftp chroot multiple directories with examples. Most of the steps from this article should also work on other Linux distributions such as SuSE, Ubuntu etc, if you face any issues do let me know using the comment section from this page.
We will configure sftp chroot jail on [root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 and use [root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
7 to connect to [root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
6 using sftp user
[root@server2 ~]# passwd deepak Changing password for user deepak. New password: Retype new password: passwd: all authentication tokens updated successfully.9
server1server2Hostnameserver1.example.comserver2.example.comIP Address10.10.10.1410.10.10.13Setup SFTPas client
[which initiates sftp connection]as server
[sftp server]OSCentOS 8CentOS 8
ALSO READ: SOLVED: SSH fails with postponed publickey error
Step 1: Install sftp on Linux
On most Linux distributions
[root@server2 ~]# usermod --shell /bin/false deepak0 should be installed by default. On RHEL/CentOS 7 and 8 Linux you can use yum or dnf to install sftp which is provided as part of
[root@server2 ~]# usermod --shell /bin/false deepak1 rpm in RHEL/CentOS distro.
HINT:
Based on distribution
[root@server2 ~]# usermod --shell /bin/false deepak0 may part of a different rpm, please check your distribution to install
[root@server2 ~]# usermod --shell /bin/false deepak0
[root@server1 ~]# which sftp /usr/bin/sftp
Step 2: Create SFTP User
I will create sftp user [
[root@server2 ~]# passwd deepak Changing password for user deepak. New password: Retype new password: passwd: all authentication tokens updated successfully.9] for sftp restrict user to specific directory in Linux on
[root@server2 ~]# passwd deepak Changing password for user deepak. New password: Retype new password: passwd: all authentication tokens updated successfully.6.
To create sftp user "
[root@server2 ~]# passwd deepak Changing password for user deepak. New password: Retype new password: passwd: all authentication tokens updated successfully.9", use below command. Here we use
[root@server2 ~]# usermod --shell /bin/false deepak7 to also create user's home directory.
Advertisement
[root@server2 ~]# useradd -m deepak
Check user details:
[root@server2 ~]# id deepak uid=1003[deepak] gid=1003[deepak] groups=1003[deepak]
The user's home directory is owned by
[root@server2 ~]# passwd deepak Changing password for user deepak. New password: Retype new password: passwd: all authentication tokens updated successfully.9 with 700 permission so that no other user [other than root] can access this directory.
[root@server2 ~]# ls -ld /home/deepak/ drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/
Assign password to sftp user deepak:
[root@server2 ~]# passwd deepak Changing password for user deepak. New password: Retype new password: passwd: all authentication tokens updated successfully.
Change the shell of the sftp user to
[root@server2 ~]# usermod --shell /bin/false deepak9 instead of
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
0. Without a valid shell the sftp user will not be allowed to login.[root@server2 ~]# usermod --shell /bin/false deepak
Verify the user
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
1 properties[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
HINT:
We could have also used
[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false
2 to create sftp user without valid shell in a single command
Step 3: Create SFTP Group [Optional]
In this article to demonstrate sftp restrict user to specific directory, I will use sftp user instead of sftp group. But if you have a requirement to implement group level sftp chroot jail then you can also create sftp group using below steps:
[root@server2 ~]# groupadd sftpusers