• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL : How to Set up SFTP to Chroot Jail only for Specific Group

By admin

In order to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the “Match” keyword) in the sshd_config file. Setting ChrootDirectory on a specific Group, ensures that the users of that group can’t get out of their home directory, in turn ensuring no other users are affected.

1. Create a group for users who will be chrooted.

# groupadd sftp_group

2. Create a user for SFTP group & set password.

# useradd sftp_test1
# passwd sftp_test1
Changing password for user sftp_test1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

3. Add sftp_test1 user to sftp_group group. Let the user shell be /bin/false as the users should only be allowed to do sftp and not ssh/scp.

# usermod -g sftp_group -s /bin/false sftp_test1
# id sftp_test1
uid=1000(sftp_test1) gid=1001(sftp_test1) groups=1001(sftp_test1),1000(sftp_group)
NOTE: Users not in this group can still log in to the host via ssh and otherwise interact with openssh normally.

4. Edit the sshd config to configure the sftp. Remove the /usr/libexec/openssh/sftp-server line and add internal-sftp line as shown below:
Remove or hash the line:

# vi /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server

add the below line:

# vi /etc/ssh/sshd_config
Subsystem sftp internal-sftp

5. Add the below content to the end of file /etc/ssh/sshd_config to add the sftp chroot environment:

# vi /etc/ssh/sshd_config
Match Group sftp_group
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp

5. Restart the sshd service to take effect of sftp configuration.

# systemctl restart sshd

Verify

1. Now try to access the system with SSH & SFTP service from other clients:
a. SSH

# ssh sftp_test1@x.x.x.x
The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established.
ECDSA key fingerprint is 07:1c:34:30:f4:81:e1:e0:b3:13:30:b8:57:d9:d9:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'x.x.x.x' (ECDSA) to the list of known hosts.
sftp_test1@x.x.x.x's password:
Could not chdir to home directory /home/sftp_test1: No such file or directory
This service allows sftp connections only.
Connection to x.x.x.x closed.

As You see above connection closed and not allowed to login SSH.

b. SFTP

# sftp sftp_test1@x.x.x.x
sftp_test1@x.x.x.x's password:
Connected to x.x.x.x.
sftp> pwd
Remote working directory: /
sftp> ls
sftp_test1
sftp> cd /home
Couldn't canonicalize: No such file or directory
sftp>

As a result above sftp_test1 user is logged in via SFTP and can’t change the directory because of chroot environment

3. You can also test the SFTP-Server function from the windows client by using the “WinSCP” or “Filezilla” softwares.

Filed Under: Linux

Some more articles you might also be interested in …

  1. Linux / UNIX : Examples of find command to find files with specific sets of permissions
  2. How To Masquerade Sender Address In Sendmail in CentOS/RHEL
  3. Understanding /proc/meminfo file (Analyzing Memory utilization in Linux)
  4. How to run rsyslog as a non-root user in CentOS/RHEL 7
  5. How To Identify User Deleting Files From A Given Directory in Linux
  6. CentOS/RHEL – How to Remove stale ISCSI Target Node Information from ISCSI Initiator Server
  7. “imuxsock lost # messages from pid # due to rate-limiting” – rsyslog rate-limiting in Linux
  8. XFS error: Unable to mount filesystem With Noacl Permission in CentOS/RHEL 7
  9. CentOS / RHEL : How to identify/match LUN presented from SAN with underlying OS disk
  10. Red Hat / CentOS : How to create interface / NIC bonding

You May Also Like

Primary Sidebar

Recent Posts

  • How to disable ICMP redirects on CentOS/RHEL
  • What are Oracle Key Vault Roles
  • What Is Oracle Key Vault
  • Auditing with Oracle Database Vault Reports
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary