Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: Chroot sftp using openssh in 5 minutes

  1. #1
    Join Date
    Jul 2006
    Beans
    11
    Distro
    Kubuntu 8.10 Intrepid Ibex

    Post Chroot sftp using openssh in 5 minutes

    Hi,

    Chrooting sftp users will allow you to 'hide' the parts of the file system that they do not need access to, or rather, to deny them access to everything and then select what you want them to be able to access. This has obvious security benefits if done correctly. wikipedia chroot.

    After spending many hours trying (and failing) to get scponlyc to work on a 64bit system i found that openssh allows you to chroot users by adding just 4 lines into your sshd config file, creating a group for sftp only users and changing a few permissions.

    Required packages: openSSH version 4.9 or greater (at the time of writing 5.1 is in use), so if your using Intrepid (8.10) or newer then you should be fine.

    Parts one and two will only take a few minutes, the time required for part 3 is Dependant on how you want to set everything up.

    Part one, editing your sshd config file:

    1. Backup your sshd config file
    Code:
    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.sftpmod
    2. Open your sshd config file in your favorite editor (i use nano, you might use kate or gedit)
    Code:
    sudo nano /etc/ssh/sshd_config
    3. Change the following line (near the end of the file)
    Code:
    Subsystem sftp /usr/lib/openssh/sftp-server
    to
    Code:
    Subsystem sftp internal-sftp
    4. Add the following to the very end of your sshd config (MUST be at the end of the file).
    Code:
    Match Group sftponly
            ChrootDirectory /home/%u
            ForceCommand internal-sftp
            X11Forwarding no
            AllowTcpForwarding no
    5. You will need to restart you ssh server for the changes to take effect (be careful, this will disconnect any logged in users)
    Code:
    sudo /etc/init.d/ssh restart
    6. if you get the following message move on to part two
    Code:
     * Restarting OpenBSD Secure Shell server sshd                                                     [ OK ]
    If you have made any mistakes in the the sshd_config file then your ssh server might not start until you correct them (and certainly won't do what you want it to until you fix them), you can restore the backup with the following command
    [CODE]sudo cp /etc/ssh/sshd_config.backup.sftpmod /etc/ssh/sshd_config

    Part two, creating and adding users to the sftp group

    1. Create the group 'sftponly'
    Code:
    sudo groupadd sftponly
    2. Create a new user (even if you want to do this to existing users i would recommend you create a test user first)
    Code:
    useradd -m username
    3. Add the new user to the sftponly group (or add existing users, again please use a test user first!)
    Code:
    sudo usermod -g sftponly username
    4. Remove the new users shell access
    Code:
    sudo usermod -s /bin/false username
    5. Change the ownership/group of the users home directory to root:root (required or the ssh server will disconnect them)
    Code:
    sudo chown root:root /home/username
    6. Unless we change the users home directory to '/' or create '/home/username' inside the chroot they will be unable to login! i would suggest you opt for creating a the home directory inside the chroot as you can also make it writable for them.

    Create the 'fake' home directory
    Code:
    sudo mkdir -p /home/username/home/username
    Make the user the owner of their fake home directory
    Code:
    sudo chown username:username /home/username/home/username
    Part 3, Adding access to specific directories

    This section has deliberately been left blank, i am not confident enough in my understanding of file permissions to write this as a step by step guide (anyone else in the same situation copying and pasting my commands could end up with improperly set privileges), if someone else believes they do have a decent understand of how to do this then post below and i will add it in (giving credit and linking to the post in the list of contributors at the end of this guide).

    I will however, give some hints at how it might be done. You can mount other directories inside the chrooted home directory with the following.
    Code:
    mount -o bind /some/directory/ /home/username/somewhere
    You should be very careful with this though, as you need to set permissions correctly (and perhaps mount it read-only if suitable), you could also create a directory common to a group of sftp users (ie a uploads directory), for this to remain after a reboot you will have to edit your fstab.

    Contributors

    • albinootje
      1. Ubuntu release versions this should work on. Link
      2. Providing a link to another guide suggesting /home/%u instead of %h for the chroot in sshd_config which makes it easier to drop the user into a writable directory inside the chroot (and prevents chrooting to the wrong directory by getting the location of home wrong). Link
    • You, if you know anything that would be helpful to anyone reading this guide!
    Last edited by Impotence; February 3rd, 2009 at 02:44 PM.

  2. #2
    Join Date
    Jan 2009
    Location
    Norway
    Beans
    25
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Chroot sftp using openssh in 5 minutes

    Nice guide! I've actually been looking for this and just stumbled upon it here. Great!
    Ubuntu secuirty howto, and more @ cjacobsen.net

  3. #3
    Join Date
    Jul 2008
    Location
    Netherlands
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Chroot sftp using openssh in 5 minutes

    Quote Originally Posted by Impotence View Post
    After spending many hours trying (and failing) to get scponlyc to work on a 64bit system i found that openssh allows you to chroot users by adding just 4 lines into your sshd config file, creating a group for sftp only users and changing a few permissions.

    Required packages: openSSH version 4.9 or greater (at the time of writing 5.1 is in use).
    Thanks a lot for mentioning this! :)

    Here's an article which has a little bit of a different approach :
    http://www.debian-administration.org/articles/590

    It also says minimum version is "4.8p1 for the GNU/Linux port" needed.
    That would be :
    http://packages.ubuntu.com/search?ke...openssh-server
    Intrepid and newer only.

    And this changelog for openssh 4.9 :
    http://www.openssh.com/txt/release-4.9
    says this :
    New features:

    * Added chroot(2) support for sshd(8), controlled by a new option
    "ChrootDirectory". Please refer to sshd_config(5) for details, and
    please use this feature carefully. (bz#177 bz#1352)
    I wonder what the "please use this feature carefully" would be about.

    For the rest, mount --bind is indeed a nice option to use within the chrooted dir, but I remember reading that older 2.6.x Linux kernel only support read/write mount --bind, and not read-only mount --bind.

    Thanks again for posting this! :)

  4. #4
    Join Date
    Jul 2006
    Beans
    11
    Distro
    Kubuntu 8.10 Intrepid Ibex

    Re: Chroot sftp using openssh in 5 minutes

    According to the debain-administration article the home directory is relative to the chroot so, if you wanted too, you should be able to drop the user into a writable directory that they own... I will try it and let everyone know.

    PS Fixed a few typo's and omissions from the guide (such as forgetting to put 'username' after some of the commands that needed it), if there is a 'standard format' for guides here or any mistakes i have made, improvements etc please point them out

    EDIT: changing the chroot directory to /home/%u and home to /home/username works quite well (you obviously have to create /home/username inside the real /home/username), you could also just set the home to /home if your not trying to emulate a normal setup (of users having a directory inside /home), updating the guide now I'm not going to attach a credit to xyz to every piece of text that i did not create anymore (this will make it harder to read over and look cluttered) instead i think a list of contributors at the end of the guide (with details to what they provided) would be more suitable (feel free to object albinootje and i will add your credit next to your submissions you have made so far, all new submissions go at the end though!)
    Last edited by Impotence; February 3rd, 2009 at 02:02 PM.

  5. #5
    Join Date
    Jul 2006
    Beans
    11
    Distro
    Kubuntu 8.10 Intrepid Ibex

    Re: Chroot sftp using openssh in 5 minutes

    I seem to be having problems using "filezilla" with sftp accounts chrooted created in this way, if anyone else has followed these instructions it would be very helpful if you could take a minute to test this.

    How to install filezilla
    Code:
    sudo apt-get install filezilla

  6. #6
    Join Date
    Jul 2008
    Location
    Netherlands
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Chroot sftp using openssh in 5 minutes

    Quote Originally Posted by Impotence View Post
    I seem to be having problems using "filezilla" with sftp accounts chrooted created in this way, if anyone else has followed these instructions it would be very helpful if you could take a minute to test this.
    [/CODE]
    I would like to test the build-in chrooted sftp soonish.
    Yesterday I've installed a newer openssh server version on my Ubuntu 8.04 desktop, and made changes to the sshd_config file, next step for me is to do some more reading first
    Last edited by albinootje; February 5th, 2009 at 12:51 AM.

  7. #7
    Join Date
    Jul 2008
    Location
    Netherlands
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Chroot sftp using openssh in 5 minutes

    I've used the instruction from the Debianadmin webpage link (and I don't see much difference at all with your instructions), and it works fine with FileZilla, just as with WinSCP (with Wine in Ubuntu, with and without the scp fallback).
    Last edited by albinootje; February 5th, 2009 at 12:51 AM.

  8. #8
    Join Date
    Jul 2006
    Beans
    11
    Distro
    Kubuntu 8.10 Intrepid Ibex

    Re: Chroot sftp using openssh in 5 minutes

    Sorry for taking so long to post a followup.

    The problem with filezilla was found, filezilla ignores the password you enter in the quick connect bar if you are logging into an account with the username 'anonymous' (bugzilla ticket + workarounds).

  9. #9
    Join Date
    May 2008
    Beans
    23

    Re: Chroot sftp using openssh in 5 minutes

    This has been a very helpful tutorial. However, I have a question on how to slightly modify this tutorial to fit my own organizational needs.

    I have a master user called "masterftp". I want to chroot this guy. Basically, the tutorial given would be fine for this guy.

    Now, I want to create users who have a Chroot directory inside the masterftp directory. So, it would look like this...


    /home/masterftp/ - master ftp directory
    /home/masterftp/client1 - a clients ftp directoy that is chroot for them
    /home/masterftp/client2 - another chrooted client directory
    [...]

    This case, the masterftp user will be able to see and access all the clients, but the clients will only see their respected directories.

    How might I get something like this setup?

    Thanks!
    Fozzy

    ps. for the record, I was able to follow the tutorial and get it to work
    Last edited by fozzyuw; February 25th, 2009 at 03:45 PM. Reason: ps

  10. #10
    Join Date
    Jul 2008
    Location
    Netherlands
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Chroot sftp using openssh in 5 minutes

    Quote Originally Posted by fozzyuw View Post
    How might I get something like this setup?
    Sounds like you can just assign different home directories for your users.
    /home/masterftp/ will be the home directory for your masterftp user.
    /home/masterftp/client1 will be the home directory for the first client. And so on.

Page 1 of 4 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •