sftp_centos
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| sftp_centos [2016/10/19 14:03] – luke7858 | sftp_centos [2024/05/23 07:26] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| == Quick Overview == | == Quick Overview == | ||
| - | This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website. For example: sftpluke needs to upload files to / | + | This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website. |
| + | \\ | ||
| + | For example: sftpluke needs to upload files to / | ||
| \\ | \\ | ||
| \\ | \\ | ||
| Line 28: | Line 30: | ||
| / | / | ||
| </ | </ | ||
| + | \\ | ||
| + | You are able to have many website and mount points in a single jailed users home directory (eg / | ||
| == Option 2 == | == Option 2 == | ||
| If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g | If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g | ||
| Line 33: | Line 37: | ||
| mkdir -p / | mkdir -p / | ||
| </ | </ | ||
| - | \\ | + | An example of multiple sftp users would be: |
| - | You are able to have many website and mount points in a single jailed | + | <sxh bash> |
| + | /home/chroot/luke | ||
| + | /home/chroot/joe | ||
| + | /home/chroot/michal | ||
| + | </sxh> | ||
| + | All of these users home directory (luke, joe, michal) would be writable | ||
| \\ | \\ | ||
| \\ | \\ | ||
| Line 50: | Line 59: | ||
| useradd -d / | useradd -d / | ||
| </ | </ | ||
| - | \\ | ||
| Now change the password with | Now change the password with | ||
| <sxh bash> | <sxh bash> | ||
| Line 97: | Line 105: | ||
| \\ | \\ | ||
| You should perform the following: | You should perform the following: | ||
| + | == Option 1 == | ||
| <sxh bash> | <sxh bash> | ||
| - | chmod 711 /home/user/ | + | chmod 711 /home/ |
| chmod 755 / | chmod 755 / | ||
| Line 108: | Line 117: | ||
| chown lukes-jail: | chown lukes-jail: | ||
| </ | </ | ||
| - | + | == Option 2 == | |
| + | < | ||
| + | chmod 755 / | ||
| + | |||
| + | chown root:root / | ||
| + | </ | ||
| \\ | \\ | ||
| === Mounting === | === Mounting === | ||
| We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab: | We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab: | ||
| + | == Option 1 == | ||
| + | <sxh bash> | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | == Option 2 == | ||
| + | \\ | ||
| <sxh bash> | <sxh bash> | ||
| / | / | ||
| Line 118: | Line 139: | ||
| Now we can mount a specific directory to the users chrooted home directory. | Now we can mount a specific directory to the users chrooted home directory. | ||
| \\ | \\ | ||
| - | Best practice is to use the mount -a command to mount the directory using the entry we have just made. | + | Best practice is to use the "mount" |
| \\ | \\ | ||
| This is to make sure there are no errors in the entry into /etc/fstab. If there are errors, we can resolve them before the server is rebooted however if we dont fix them before server reboot it can cause **SEVERE** issue and prevent the server from booting!! | This is to make sure there are no errors in the entry into /etc/fstab. If there are errors, we can resolve them before the server is rebooted however if we dont fix them before server reboot it can cause **SEVERE** issue and prevent the server from booting!! | ||
| Line 137: | Line 158: | ||
| Try logging in with the user via ssh, this should fail as we have disabled ssh login. | Try logging in with the user via ssh, this should fail as we have disabled ssh login. | ||
| <sxh bash> | <sxh bash> | ||
| - | ssh lukeisjailed@serverIP | + | ssh lukes-jail@serverIP |
| </ | </ | ||
| Now we can test sftp via command line with | Now we can test sftp via command line with | ||
| <sxh bash> | <sxh bash> | ||
| - | sftp lukeisjailed@serverIP | + | sftp lukes-jail@serverIP |
| </ | </ | ||
| This should prompt you for a password and then successfully log in. You should see: | This should prompt you for a password and then successfully log in. You should see: | ||
| Line 168: | Line 189: | ||
| </ | </ | ||
| <sxh bash> | <sxh bash> | ||
| - | sftp -p port user@host | + | sftp -P <port> user@host |
| </ | </ | ||
sftp_centos.1476885789.txt.gz · Last modified: 2024/05/23 07:26 (external edit)