Sunday, 5 June 2011

HOW-TO: Chrooted SFTP only access

Updated: 5th December 2012

My place of work wanted me to set up a FTP server. This was so that clients could download and upload sensitive files. Only that specific client and our staff should have access to that client's files. NO other client should see anothers files.

I wanted to avoid FTP because of its weaknesses and searched for a way to achieve a SFTP (Secure File Transfer Protocol) server easily.

The user (username) set up for the client's SFTP should NOT have access to the system in any other way, including SSH.

I did this on a dedicated Virtual Machine running Ubuntu Server AMD64 10.04.2 (2.6.32-32-server) running OpenSSH 5.8 and no other server services. Chrooting should work successfuly on all OpenSSH since release 4.8.

chroot is an operation to lock down the apparent root (highest) directory that the user can get to.

The following notes sets up a way to chroot a group of users using open-SSH, restricting them to SFTP only.

Whilst others have made good How-tos on the subject, they were not concise enough and I pulled my hair out, meeting errors like, 'fatal: bad ownership or modes for chroot directory' and 'Couldn't get handle: Permission denied'.

This will be done by setting up a group. Any system user who is not in this group and normally allowed SSH access will continue to have SSH access.

If OpenSSH server is not yet installed
sudo apt-get install openssh-server

EDIT /etc/ssh/sshd_config
change: PermitRootLogin yes
to: PermitRootLogin no

change: LoginGraceTime 120
to: LoginGraceTime 20

add to # Authentication section:
MaxAuthTries 3
MaxSessions 3

append to end of file:
Match group sftponly
# chroot members into this directory
# %u gets sustituted with the username
ChrootDirectory /home/sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Banner /etc/

Change SFTP listening port
You may wish to change the listening port for SFTP connections to help thrawt attackers.

In /etc/ssh/sshd_config uncomment the Port line and choose a suitable alternative port. Example:
Port 6022
Do not forget to open this port on your Firewall.

At this point restart sshd. If however, when you create your first user you meet with problems, restart the server before swearing!
sudo /etc/init.d/sshd restart

Create sftponly group
sudo groupadd sftponly

Below is a script to create a user that is added to the sftponly group. Replace <user> with the desired username.
sudo mkdir -p /home/sftp/<user>
sudo mkdir -p /home/sftp/<user>/upload
sudo chown root.root /home/sftp/<user>
sudo chown <user>.sftponly /home/sftp/<user>/upload
sudo chmod -R 755 /home/sftp/<user>
sudo useradd <user> -g sftponly -d /home/sftp/<user>/
sudo passwd <user>

That's it!

In /etc/ssh/sshd_config we ensured that no one can remotely log in as root. Those with SSH access can still use sudo. We then shortened the time allowed for a successful login and three attempts before disconnect. I also limited concurrent connections to three.

Then I appended to the bottom of the file a Match group for sftponly group. This means that any user login, who is in the group sftponly, has additional rules.

ChrootDirectory restricts the user to a specific directory. The user cannot gain access to a GUI (if exists), port forwarding or bash, only to the internal sftp server application. See for more sshd_config commands.

Next, I created a group called sftponly so that any users added to it would pick up the Match group section added to sshd_config file.

That completed the configuration of sshd for sftp only access and finally you create your users, add them to the group sftponly, create directories with the correct permissions.

Directory permissions
The important thing is that chroot insists that ChrootDirectory and its parent directories MUST have root:root 0700 (rwx) user permissions AND NONE for group or other! If you don't do this then you will meet with the error messages I mentioned above.

However, Chroot does not allowed a user to write into their root directory. This is apparently to keep security tight. If you try and succeed to make the user's root directory writeable, you may have opened your system up due to any current security bugs.

It is better to create a sub-directory say, 'upload' and then give the user writeable permissions there. This is what the Chroot team advise.

I have spent a couple of hours trying different SSH and SFTP clients to see if all works as I have described and is secure. It works!

SFTP clients?
I have sucessfully tested SFTP access with the SFTP client, FileZilla (Linux and Win) and WinSCP (Win).

Ensure that the SSH ports are opened on your/your providers firewall(s). The standard TCP port is 22.

DenyHosts is a script to help thwart SSH/SFTP server attacks.

Email notification
If you want to receive an email notification of when a file is uploaded,

Common sense says that, if you are going to open a SSH/SFTP port to the World (Internet) then, use the strongest login authentication available.  This means, turn off Password Authentication and use SSH keys instead of passwords and this is the way I set up servers.  But, what if you have to give password SFTP access to a user (Client maybe)?  Well, you can add an exception to your sshd_config file.

Match Address,
# chroot members into this directory
# %u gets sustituted with the username
ChrootDirectory /home/sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Banner /etc/
PasswordAuthentication yes

The above example, added to the bottom of your sshd_config file will allow the two example IP addresses SFTP access using passwords. For users such as these I choose a random 24 character strong string, a mixture of characters, numbers and symbols.

I find useful.

By default, SSH/SFTP logging goes to /var/log/auth.log and the following command is useful to check everything is working OK when you set up a new user.

tail -f -n 300 /var/log/auth.log

Categories: How-To, Linux, OS, Open-SSH, SFTP server, Chrooted SFTP only access
Tags: kde, ubuntu server, Linux, open-ssh, chroot, sftp

No comments: