== Quick Overview ==
This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website.
\\
For example: sftpluke needs to upload files to /var/www/vhost/lukeslinuxlessons/. You can chroot sftpluke to /home/chroot/sftpluke/ and then bind-mount /var/www/vhost/lukeslinuxlessons/ to their home directory. This means they can upload to the correct website directory without needing direct access to it.
\\
\\
== Options ==
There are 2 main options for bind mounting:
\\
**> Option 1** - Chroot a user to their home directory. //Note - user will NOT be able to write to it, they will need to cd into the correct directory.// 
\\
**> Option 2** - Users are chrooted to a directory and then moved into a writeable directory - //Note - this is not a suitable option for a lot of systems, its based off of ssh configuration directive: __ChrootDirectory /home/chroot__. This means every chrooted user will be chrooted here and doesnt allow for as much flexibility.// 
\\
\\
=== sFTP Only Group ===
<sxh bash>
groupadd sftponly
</sxh>
\\
=== Creating a chroot Directory ===
__**Note**: //This part may not be needed. You are able to use the user home directory instead of creating a new one (example: **/home/luke/** or **/home/luke_sftp**)//__
\\
Now we need to create a home directory which we will be chrooting our sFTP user to. In this directory you are able to have more directories, each one relating to a different website etc. Standard proceedure is to chroot a user to their home directory however you are able to use option 2 if you wish for a more 'formal' chroot.
== Option 1 ==
<sxh bash>
mkdir -p /home/lukes-jail/
</sxh>
Now we need to create a mount point - this mount point will be where we mount the files located else where on the device to, so that the jailed user has access to them:
<sxh bash>
/home/lukes-jail/website1/
</sxh> 
\\
You are able to have many website and mount points in a single jailed users home directory (eg /home/lukes-jail/website1/, /home/lukes-jail/website2/ /home/lukes-jail/website3/ etc)
== Option 2 ==
If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g
<sxh bash>
mkdir -p /home/chroot/sams-jail/
</sxh>
An example of multiple sftp users would be:
<sxh bash>
/home/chroot/luke
/home/chroot/joe
/home/chroot/michal
</sxh>
All of these users home directory (luke, joe, michal) would be writable
\\
\\
=== Adding a chroot user ===

We can now add a user with a specific home directory and NO shell login. This means they will NOT be able to SSH into the server, only sFTP.  We will also add the user to the sftponly group.
\\
== Option 1 ==
(for those with a standard /home/user directory jail)
<sxh bash>
useradd -s /sbin/nologin -G sftponly lukes-jail
</sxh>
== Option 2 ==
<sxh bash>
useradd -d /home/chroot/lukes-jail/ -s /sbin/nologin -G sftponly lukes-jail
</sxh>
Now change the password with
<sxh bash>
passwd lukes-jail
</sxh>
 
\\
=== Configuring sshd_config file ===

We need to make a few changes to **/etc/ssh/sshd_config** file.

You will need to locate and comment-out the following line:
<sxh bash>
Subsystem sftp /usr/libexec/openssh/sftp-server
</sxh>
Once you have done this you will need to add the following lines to the bottom of the file:

=== Option 1 ===
<sxh bash>
Subsystem     sftp   internal-sftp
         Match Group sftponly
         ChrootDirectory %h
         X11Forwarding no
         AllowTCPForwarding no
         ForceCommand internal-sftp
</sxh>
\\
=== Option 2 ===
<sxh bash>
Subsystem     sftp   internal-sftp
         Match Group sftponly
         ChrootDirectory /home/chroot/
         X11Forwarding no
         AllowTCPForwarding no
         ForceCommand internal-sftp
</sxh>
\\
Now you need to restart sshd. You can either run **sshd -t** first (which should return NO message) or you can be brave and just perform service sshd restart
 
\\
=== Permissions ===

Now we need to make sure that the home directory for the **lukeisjailed** user has the correct permissions.
\\
Before performing the following it is important to note, the chroot directory needs to be owned by root:root, it must NOT be owned by anyone else. Once it is owned by root:root you need to make sure it has 755 permissions. It is important to note that the bit we are interested in is the 'other' permissions. It must have executable and read permissions for other users as this is the category the user will be classed in.
\\
You should perform the following:
== Option 1 ==
<sxh bash>
chmod 711 /home/

chmod 755 /home/lukes-jail/

chown root:root /home/lukes-jail/
</sxh>
You will then need to set the permissions of the mount directory (e.g **/home/lukes-jail/website1/**) to user:group with
<sxh bash>
chown lukes-jail:sftponly /home/lukes-jail/website1/
</sxh>
== Option 2 ==
 <sxh bash>
chmod 755 /home/chroot

chown root:root /home/chroot/
</sxh>
\\
=== Mounting ===

We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab:
== Option 1 ==
<sxh bash>
/var/www/vhost/lukeslinuxlessons/ /home/lukes-jail/website1/ none bind 0 0
</sxh>

== Option 2 ==
\\
<sxh bash>
/var/www/vhost/lukeslinuxlessons/ /home/chroot/lukes-jail/website1/ none bind 0 0
</sxh>
Now we can mount a specific directory to the users chrooted home directory.
\\
Best practice is to use the "mount" command (with a specific flag) to mount the directory using the entry we have just made. 
\\
This is to make sure there are no errors in the entry into /etc/fstab. If there are errors, we can resolve them before the server is rebooted however if we dont fix them before server reboot it can cause **SEVERE** issue and prevent the server from booting!!
<sxh bash>
mount /home/lukes-jail/website1/
</sxh>
This command mounts the directory stated in /etc/fstab to the directory we have just specified (/home/lukes-jail/website1/)

And your done!
\\
 
\\
--------------------------------------------------------------------------------------------------
=== Testing sFTP chroot===

You can test the chroot a couple of ways.

Try logging in with the user via ssh, this should fail as we have disabled ssh login.
<sxh bash>
ssh lukes-jail@serverIP
</sxh>
Now we can test sftp via command line with
<sxh bash>
sftp lukes-jail@serverIP
</sxh>
This should prompt you for a password and then successfully log in. You should see:
<sxh bash>
sftp>
</sxh>
Now you can test to see if it has been configured correctly by typing the following:
<sxh bash>
sftp> pwd
Remote working directory: /
sftp> ls
website1
sftp> cd website1
sftp> ls
file1 file2 file3
</sxh>
Create a test file on your localhost, then sftp to the server:
<sxh bash>
put sftptest.txt
</sxh>
\\
=== Specifying a port ===
2 Options:
<sxh bash>
sftp -oPort=3476 user@host
</sxh>
<sxh bash>
sftp -P <port> user@host
</sxh>

=== Troubleshooting ===

This section will be updated regularly with issues and fixes.
<sxh bash>
sftp user@ipaddress -v
</sxh>
The command above should tell you if the issue is a password for the user is correct or not