initial commit
This commit is contained in:
Chris Cowley
commit
ca6a4d45d1
113 changed files with 10501 additions and 0 deletions
80
content/blog/sftp-chroot-on-centos/index.md
Normal file
80
content/blog/sftp-chroot-on-centos/index.md
Normal file
|
|
@ -0,0 +1,80 @@
|
|||
---
|
||||
date: 2012-11-19
|
||||
title: SFTP Chroot on CentOS
|
||||
category: linux
|
||||
---
|
||||
|
||||
This came up today where I needed to give secure file transfer to
|
||||
customers. To complicate things I had to use an out-of-the-box RHEL6
|
||||
system. The obvious answer was to use SSH and limit those users to SFTP
|
||||
only. Locking them into a chroot was not a requirement, but it seemed
|
||||
like a good idea to me. I found plenty of docs that got 80% of the way,
|
||||
or took a shortcut, but this should be complete.
|
||||
|
||||
The basic steps are:
|
||||
|
||||
1. Create a group and the users to that group
|
||||
2. Modify the SSH daemon configuration to limit a group to sftp only
|
||||
3. Setup file system permissions
|
||||
4. Configure SELinux
|
||||
5. Test (of course)
|
||||
|
||||
Without further ado, lets get started. It should only take about 10
|
||||
minutes, nothing here is especially complex.
|
||||
|
||||
Create a group that is limited to SFTP only and a user to be in that
|
||||
group.
|
||||
|
||||
groupadd sftponly
|
||||
useradd sftptest
|
||||
usermod -aG sftponly sftptest
|
||||
|
||||
Now you need to make a little change to `/etc/ssh/sshd_config`. There
|
||||
will be a *Subsystem* line for `sftp` which you need to change to read:
|
||||
|
||||
Subsystem sftp internal-sftp
|
||||
|
||||
Now you need to create a block at the end to limit members of a group
|
||||
(ie the sftponly group you created above) and chroot them. Simply add
|
||||
the following to the end of the file:
|
||||
|
||||
Match Group sftponly
|
||||
ChrootDirectory %h
|
||||
ForceCommand internal-sftp
|
||||
X11Forwarding no
|
||||
AllowTcpForwarding no
|
||||
|
||||
These changes will require a reload of the SSH daemon:
|
||||
`service sshd reload`
|
||||
|
||||
Now you need to make some file permission changes. For some reason which
|
||||
I cannot work out for now, the home directory must be owned by root and
|
||||
have the permissions 755. So we will also need to make a folder in the
|
||||
home directory to upload to and make that owned by the user.
|
||||
|
||||
sudo -u sftptest mkdir -pv /home/sftptest/upload
|
||||
chown root. /home/sftptest
|
||||
chmod 755 /home/sftptest
|
||||
chgrp -R sftponly /home/sftptest
|
||||
|
||||
The last thing we need to do is tell SELinux that we want to upload
|
||||
files via SFTP to a chroot as it is read-only by default. Of course you
|
||||
are running SELinux in enforcing mode aren\'t you :)
|
||||
|
||||
setsebool -P ssh_chroot_rw_homedirs on
|
||||
|
||||
Now from another console you can sftp to your server
|
||||
|
||||
sftp sftptest@<server>
|
||||
|
||||
You should then be able to put a file in your upload folder. However if
|
||||
you try to ssh to the server as the user *sftptest* it should tell you
|
||||
to go away. Of course you should be able to *ssh* as your normal user
|
||||
with no problem. Pro tip: make sure to leave a root terminal open just
|
||||
in case.
|
||||
|
||||
Required reading:
|
||||
|
||||
- [CentOS Wiki SELinux](https://wiki.centos.org/HowTos/SELinux)
|
||||
- [CentOS Wiki
|
||||
SELinuxBooleans](https://wiki.centos.org/TipsAndTricks/SelinuxBooleans)
|
||||
Loading…
Add table
Add a link
Reference in a new issue