How To Setup Chrooted SFTP In Linux
This information explains tips on how to setup Chrooted SFTP in Linux so as to limit SSH person entry to house listing or any specific listing. To place this in different phrases, we’re going to drive the customers to a particular listing and set their shell to /bin/nologin or another shell that denies entry to a ssh login. As soon as the chrooted SFTP is configured, the customers can solely entry their assigned house listing, however not all the filesystem
Enabling chrooted SFTP entry provides the next advantages:
Permit the customers to attach via solely SFTP, however not permit them to attach via SSH. Limit a SSH person session to their house listing or a particular listing of your alternative. Limit SSH entry to sure customers and nonetheless permit them to switch information between native and distant techniques. Deny person entry to all the file system.
Now, allow us to go forward and setup Chrooted SFTP to restrict the SSH customers to Residence listing and/or every other listing with Chrooted jail in Linux.
This information is formally examined on Debian 11 bullseye, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS distributions. Nonetheless, the steps given beneath ought to work on any Linux distributions that helps openSSH.
Setup Chrooted SFTP in Linux
Ranging from model 4.9, openSSH has a function often known as internal-sftp subsystem which permits solely SFTP entry, however not SSH entry. So, the customers can have the ability to entry solely the info from the server, however they cannot entry it utilizing SSH.
Create Chrooted listing
First, Create a chrooted listing utilizing command:
$ sudo mkdir /sftp
Make this listing absolutely owned by root person utilizing command:
$ sudo chown root:root /sftp/
Below this listing, create separate directories for every person, like /sftp/user1, /sftp/user2, and /sftp/user3 and so forth.
For the aim of this information, I’m going to create a listing referred to as ostechnix below /sftp listing.
$ sudo mkdir /sftp/ostechnix
That is the listing the place the customers can save the info. Additionally, the customers cannot transcend this listing. It is similar to their $HOME listing.
Create sftp group and assign customers to that group
Now, we have to create the customers to have the ability to entry SFTP chrooted listing.
Create a gaggle referred to as sftponly as proven within the following command:
$ sudo groupadd sftponly
Then, create new SFTP customers or assign current customers to the “sftponly” group as proven beneath.
Let me create a brand new person, for instance senthil, and assign him to the “sftponly” group. After which, setup his house listing as /sftp/ostechnix and the default shell as /sbin/nologin.
We will do that utilizing the next on-line command:
$ sudo useradd -g sftponly -d /ostechnix -s /sbin/nologin senthil
Set password for the newly-created person utilizing command:
$ sudo passwd senthil
To change the present person, use “usermod” as an alternative of “useradd” command like beneath:
$ sudo usermod -g sftponly -d /ostechnix -s /sbin/nologin senthil
Assign correct permissions to the chrooted listing
It’s essential assign correct permissions to the SFTP customers to entry their HOME listing like beneath.
$ sudo chown senthil:sftponly /sftp/ostechnix $ sudo chmod 700 /sftp/ostechnix/
The opposite SFTP customers cannot entry this listing.
Equally, assign acceptable permissions to all different SFTP customers as properly.
Really helpful Obtain – Free eBook: “Study Linux in 5 Days”
Configure Chrooted SFTP
Edit /and many others/ssh/sshd_config file:
$ sudo vi /and many others/ssh/sshd_config
Discover and remark out the next strains (i.e. add asterisk # in-front of it to remark out).
#Subsystem sftp /usr/libexec/openssh/sftp-server
In some distributions, for instance Ubuntu 18.04 LTS, discover and remark the next line:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsequent, add the next strains on the finish of the file:
Subsystem sftp internal-sftp
Match group sftponly
If you wish to limit customers to $HOME listing, simply change /sftp with /house within the above code. Be sure you’ve specified the proper path of sftp listing. Press ESC and kind :wq to avoid wasting the file and exit.
Restart ssh service to replace the modifications.
$ sudo systemctl restart sshd
Now, attempt to SSH to this method from every other techniques on the community utilizing the sftp person (i.e senthil in our case).
$ ssh [email protected]
You’ll get the next error message.
[email protected]’s password:
This service permits sftp connections solely.
Connection to 192.168.122.181 closed.
Right here, 192.168.122.181 is my distant Debian system’s IP handle the place I configured SFTP.
You’ll be able to solely entry the distant system utilizing sftp as proven beneath.
$ sftp [email protected]
[email protected]’s password:
Linked to 192.168.43.2.
See? The person “senthil” can in a position to join through sftp, however not through ssh.
To know the present working listing, use ‘pwd’ command:
Distant working listing: /ostechnix
Primary SFTP instructions
We will join utilizing an alternate port utilizing -p flag.
$ sftp -P
To switch distant file to the native system, do:
sftp> get /path/remote_file
We will switch native file to the distant system utilizing command:
sftp> put /path/local_file
To switch distant folder to the native system recursively:
sftp> get -R /path/remote_folder
To show the checklist of information on native machine:
To show the checklist of information on distant machine:
For extra particulars about sftp utilization, refer man pages.
$ man sftp
On this information, we’ve mentioned tips on how to configure and setup chrooted SFTP in Linux working techniques comparable to Debian and Ubuntu.