Learn how to configure a Chroot SFTP server in Linux with our step-by-step guide. Enhance your server’s security by restricting users to their home directories. #centlinux #linux #ftpserver
Table of Contents
What is SFTP?
SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. it runs over the SSH protocol and supports the full security and authentication functionality of SSH. SFTP has pretty much replace legacy FTP protocol and much more reliable and secure then FTP.
What is Chroot?
Chroot is an operation that changes the apparent root directory for the current running process and its child processes. The environment is called chroot jail. Users in a chroot jail can not access the files outside the designated directory.
Problem Statement
When multiple users work on a common project, they often requires a common place to share there work with each other. This common place is called a Collaborative Directory. Usually, a collaborative directory is created with no authentication that raises conflicts between users. However, a properly configured collaborative directory can control the authentication/authorization of the legitimate users.
In this article, we will configure a collaborative directory for our users to securely upload/download files to/from the file server via SFTP protocol, and limit the user access to the collaborative directory by using chroot jail environment. Also we will restrict the Shell access using the same credentials that users have for SFTP.
Note: All demonstrations in this article are CLI based, therefore, it is recommended that you should have The Linux Command Line: A Complete Introduction (PAID LINK) for quick reference.
Linux Server Specification
We have configured a Linux machine with following specification:
- Hostname – fileserver-01.example.com
- IP Address – 192.168.116.42/24
- Operating System – CentOS 7.5
Read Also: Chroot Jail the Apache Web Server in CentOS 7
Configure Chroot SFTP Server in Linux
Connect with to the CentOS 7 server using ssh as root user.
sftp is the part of openssh-clients package, which is already installed in almost all Linux distros. Therefore, we don’t have to explicitly install it on our machine, instead we will only configure it according to our requirements.
Create a group for collaborative users.
# groupadd -g 1501 dev
Create 3 collaborative users with supplementary group of dev and login shell as /sbin/nologin to restrict shell access by the user.
# useradd -u 1001 -G dev –s /sbin/nologin ahmer # useradd -u 1002 -G dev –s /sbin/nologin mansoor # useradd -u 1003 -G dev –s /sbin/nologin danish
Set the home directories of these users as /common.
# usermod -d /common ahmer # usermod -d /common mansoor # usermod -d /common danish
Set passwords for the users.
# echo 123 | passwd ahmer --stdin Changing password for user ahmer. passwd: all authentication tokens updated successfully. # echo 123 | passwd mansoor --stdin Changing password for user mansoor. passwd: all authentication tokens updated successfully. # echo 123 | passwd danish --stdin Changing password for user danish. passwd: all authentication tokens updated successfully.
Create a directory for collaboration and adjust permissions on it according to the requirement.
# mkdir -p /chroot/sftp # chmod 555 /chroot/sftp # mkdir /chroot/sftp/common/ # chgrp dev /chroot/sftp/common/ # chmod 2775 /chroot/sftp/common/
Configure sshd service to handle the collaborative users.
# vi /etc/ssh/sshd_config
Search and Comment the following line.
#Subsystem sftp /usr/libexec/openssh/sftp-server
Add following lines at the end of the /etc/ssh/sshd_config.
Subsystem sftp internal-sftp Match Group dev X11Forwarding no AllowTCPForwarding no ChrootDirectory /chroot/sftp/ ForceCommand internal-sftp –u 007
We have set the user mask as 007 to restrict the other users from accessing our files. However, you can adjust the umask according to your requirements.(e.g. if you required that the group members can not change each other files, then you can set the umask as 027).
Save and exit vi editor.
Restart sshd service to apply changes.
# systemctl restart sshd
Test Chroot SFTP Server
Connect to the fileserver-01.example.com using sftp command.
# sftp ahmer@localhost ahmer@localhost's password: Connected to localhost. sftp>
We have successfully connected to our server using SFTP protocol.
Check working and root directories.
sftp> pwd Remote working directory: /common sftp> ls -al / dr-xr-xr-x 3 0 0 20 Sep 9 07:13 . dr-xr-xr-x 3 0 0 20 Sep 9 07:13 .. drwxrwsr-x 2 0 1501 163 Sep 9 07:56 common sftp>
You can see that the user session is now in a chroot jail environment, and user can not access the actual filesystem from here.
let’s upload a file to the server.
sftp> put hosts Uploading hosts to /common/hosts hosts 100% 158 244.7KB/s 00:00 sftp> ls -al drwxrwsr-x 2 0 1501 176 Sep 9 08:10 . dr-xr-xr-x 3 0 0 20 Sep 9 07:13 .. -rw-rw---- 1 1001 1501 158 Sep 9 08:10 hosts sftp>
After uploading various files from different users, the status of the directory will be:
# ls -al /chroot/sftp/common/ total 32 drwxrwsr-x. 2 root dev 176 Sep 9 13:10 . dr-xr-xr-x. 3 root root 20 Sep 9 12:13 .. -rw-rw----. 1 mansoor dev 1409 Sep 9 12:50 anaconda-ks1.cfg -rw-rw----. 1 ahmer dev 1409 Sep 9 12:48 anaconda-ks.cfg -rw-rw----. 1 mansoor dev 0 Sep 9 12:10 exports -rw-rw----. 1 ahmer dev 506 Sep 9 12:16 fstab -rw-rw----. 1 ahmer dev 158 Sep 9 13:10 hosts -rw-rw----. 1 ahmer dev 1452 Jun 2 14:56 ldapserver.pem -rw-rw----. 1 ahmer dev 925 Sep 9 12:09 passwd -rw-rw----. 1 danish dev 2885 Sep 9 12:54 vmware-vgauthsvc.log.0 -rw-rw----. 1 ahmer dev 813 Sep 9 12:53 yum.conf
Also check that our users can connect using ssh or not.
# ssh mansoor@localhost mansoor@localhost's password: This service allows sftp connections only. Connection to localhost closed.
We have successfully configured a chrooted collaborative directory for SFTP users in CentOS 7 with chroot jail and restricted Shell Access.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
Final Thoughts
Configuring a Chroot SFTP server in Linux can significantly enhance your system’s security by isolating users to their own directories. By following this guide, you can set up a secure and efficient file transfer environment on your Linux server.
If you need further assistance or prefer professional help, I offer expert Linux server configuration services on Fiverr. Check out my Fiverr profile to see how I can help you with your server setup and other IT needs.