Differences

This shows you the differences between two versions of the page.

--- sftp_centos [2016/03/16 15:16] – luke7858
+++ sftp_centos [2024/05/23 07:26] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website. For example: sftpluke needs to upload files to /var/www/vhost/lukeslinuxlessons/. You can chroot sftpluke to /home/chroot/sftpluke/ and then mount /var/www/vhost/lukeslinuxlessons/ to their home directory. This means they can upload to the correct website directory without needing access to it.
+== Quick Overview ==
+This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website.
+\\
+For example: sftpluke needs to upload files to /var/www/vhost/lukeslinuxlessons/. You can chroot sftpluke to /home/chroot/sftpluke/ and then bind-mount /var/www/vhost/lukeslinuxlessons/ to their home directory. This means they can upload to the correct website directory without needing direct access to it.
+\\
+\\
+== Options ==
+There are 2 main options for bind mounting:
+\\
+**> Option 1** - Chroot a user to their home directory. //Note - user will NOT be able to write to it, they will need to cd into the correct directory.//
+\\
+**> Option 2** - Users are chrooted to a directory and then moved into a writeable directory - //Note - this is not a suitable option for a lot of systems, its based off of ssh configuration directive: __ChrootDirectory /home/chroot__. This means every chrooted user will be chrooted here and doesnt allow for as much flexibility.//
 \\
 \\
@@ Line 10: / Line 21: @@
 __**Note**: //This part may not be needed. You are able to use the user home directory instead of creating a new one (example: **/home/luke/** or **/home/luke_sftp**)//__
 \\
-Now we need to create a home directory which we will be chrooting our sFTP user to. In this directory you are able to have more directories, each one relating to a different website etc. Standard proceedure is to chroot a user to their home directory however you are able to use the following if you wish for a more 'formal' chroot.
+Now we need to create a home directory which we will be chrooting our sFTP user to. In this directory you are able to have more directories, each one relating to a different website etc. Standard proceedure is to chroot a user to their home directory however you are able to use option 2 if you wish for a more 'formal' chroot.
+== Option 1 ==
 <sxh bash>
-mkdir -p /home/chroot/lukes-jail/
+mkdir -p /home/lukes-jail/
 </sxh>
-If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g
-<sxh bash>
-mkdir -p /home/chroot/sams-jail/
-</sxh>
-\\
-\\
 Now we need to create a mount point - this mount point will be where we mount the files located else where on the device to, so that the jailed user has access to them:
 <sxh bash>
@@ Line 26: / Line 32: @@
 \\
 You are able to have many website and mount points in a single jailed users home directory (eg /home/lukes-jail/website1/, /home/lukes-jail/website2/ /home/lukes-jail/website3/ etc)
+== Option 2 ==
+If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g
+<sxh bash>
+mkdir -p /home/chroot/sams-jail/
+</sxh>
+An example of multiple sftp users would be:
+<sxh bash>
+/home/chroot/luke
+/home/chroot/joe
+/home/chroot/michal
+</sxh>
+All of these users home directory (luke, joe, michal) would be writable
+\\
 \\
 === Adding a chroot user ===
@@ Line 31: / Line 50: @@
 We can now add a user with a specific home directory and NO shell login. This means they will NOT be able to SSH into the server, only sFTP.  We will also add the user to the sftponly group.
 \\
+== Option 1 ==
 (for those with a standard /home/user directory jail)
 <sxh bash>
 useradd -s /sbin/nologin -G sftponly lukes-jail
 </sxh>
-OR
+== Option 2 ==
 <sxh bash>
 useradd -d /home/chroot/lukes-jail/ -s /sbin/nologin -G sftponly lukes-jail
 </sxh>
-\\
 Now change the password with
 <sxh bash>
@@ Line 55: / Line 74: @@
 </sxh>
 Once you have done this you will need to add the following lines to the bottom of the file:
+=== Option 1 ===
 <sxh bash>
 Subsystem     sftp   internal-sftp
@@ Line 63: / Line 84: @@
          ForceCommand internal-sftp
 </sxh>
+\\
+=== Option 2 ===
+<sxh bash>
+Subsystem     sftp   internal-sftp
+         Match Group sftponly
+         ChrootDirectory /home/chroot/
+         X11Forwarding no
+         AllowTCPForwarding no
+         ForceCommand internal-sftp
+</sxh>
+\\
 Now you need to restart sshd. You can either run **sshd -t** first (which should return NO message) or you can be brave and just perform service sshd restart
@@ Line 73: / Line 105: @@
 \\
 You should perform the following:
+== Option 1 ==
 <sxh bash>
-chmod 711 /home/user/
+chmod 711 /home/
 chmod 755 /home/lukes-jail/
@@ Line 84: / Line 117: @@
 chown lukes-jail:sftponly /home/lukes-jail/website1/
 </sxh>
+== Option 2 ==
+ <sxh bash>
+chmod 755 /home/chroot
+chown root:root /home/chroot/
+</sxh>
 \\
 === Mounting ===
 We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab:
+== Option 1 ==
+<sxh bash>
+/var/www/vhost/lukeslinuxlessons/ /home/lukes-jail/website1/ none bind 0 0
+</sxh>
+== Option 2 ==
+\\
 <sxh bash>
 /var/www/vhost/lukeslinuxlessons/ /home/chroot/lukes-jail/website1/ none bind 0 0
@@ Line 94: / Line 139: @@
 Now we can mount a specific directory to the users chrooted home directory.
 \\
-Best practice is to use the mount -a command to mount the directory using the entry we have just made.
+Best practice is to use the "mount" command (with a specific flag) to mount the directory using the entry we have just made.
 \\
 This is to make sure there are no errors in the entry into /etc/fstab. If there are errors, we can resolve them before the server is rebooted however if we dont fix them before server reboot it can cause **SEVERE** issue and prevent the server from booting!!
@@ Line 106: / Line 151: @@
 \\
+--------------------------------------------------------------------------------------------------
 === Testing sFTP chroot===
@@ Line 112: / Line 158: @@
 Try logging in with the user via ssh, this should fail as we have disabled ssh login.
 <sxh bash>
-ssh lukeisjailed@serverIP
+ssh lukes-jail@serverIP
 </sxh>
 Now we can test sftp via command line with
 <sxh bash>
-sftp lukeisjailed@serverIP
+sftp lukes-jail@serverIP
 </sxh>
 This should prompt you for a password and then successfully log in. You should see:
@@ Line 143: / Line 189: @@
 </sxh>
 <sxh bash>
-sftp -p port user@host
+sftp -P <port> user@host
 </sxh>