First version AT 2018-08-25 09:39:36 Updated AT 2019-11-08 14:36:29 for user separate syslog configuration.
Set up an account that will be used only to transfer files(and not to ssh to the system), you should setup SFTP Chroot Jail as explained in this article.
If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.
Chroot SFTP Environment
chroot A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. Chroot SFTP means that the user can sftp to the system, and view only the directory that you’ve designated to perform sftp.
Setup in CentOS
Test environment at CentOS 6.5.
Create a New Group
groupadd sftpusers
Create Users
useradd -g sftpusers -s /sbin/nologin sftpuser
passwd sftpuser
Setup sftp-server Subsystem in sshd_config
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /sftp/%u
X11Forwarding no
AllowTCPForwarding no
PasswordAuthentication yes
#!/bin/bash
#@Junyangz AT 2018-08-25 09:41:50 for configure sftp and add sftp users.
#@Configure part
#########################
sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config
#sed -i "/^#Subsystem/aSubsystem sftp internal-sftp" /etc/ssh/sshd_config
groupadd sftpusers
#add follow to /etc/ssh/sshd_config
cat >>/etc/ssh/sshd_config <<EOF
Subsystem sftp internal-sftp
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Match Group sftpusers
ChrootDirectory /data1/sftp/%u
ForceCommand internal-sftp -f LOCAL0 -l INFO
X11Forwarding no
AllowTCPForwarding no
PasswordAuthentication yes
EOF
service sshd restart
#@Add user part
#########################
# create an sftp user and jail them, using username, password and CHROOT path provided as script args.
if [ -z "$2" ]; then
echo "Usage: add-sftp-user.sh username password /data1"
echo "Create sftp user with chroot at /data1/sftp/username and work directory at home."
exit 1
fi
username=$1 # get from script params
egrep "^$username" /etc/passwd >/dev/null
if [ $? -eq 0 ]; then
echo "$username exists!"
exit 1
else
password=$2 # get this from script params
#CHROOT_DIR=$3 # get this from script params
#useradd -g sftpusers -d $CHROOT_DIR/sftp/$username -s /sbin/nologin $username
useradd -g sftpusers -M -s /sbin/nologin $username
[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"
echo "$username:$password" | chpasswd
usermod -d /upload $username
mkdir -p /data1/sftp/$username/upload
chown -R $username:sftpusers /data1/sftp/$username/upload
#chmod 755 $CHROOT_DIR/sftp/$username/upload
fi
Log internal-sftp chroot jailed users
add to /etc/ssh/sshd_config
# Subsystem sftp internal-sftp -l VERBOSE -f LOCAL0
# only need in Match group block
ForceCommand internal-sftp -f LOCAL0 -l INFO
add to /etc/rsyslog.d/sftp.conf
# add sftp chroot log
# %u represent sftp username
# local0.* /var/log/sftp.log
# $AddUnixListenSocket /data1/sftp/%u/dev/log
#===above is old config===#
input(type="imuxsock" HostName="sftp_username" Socket="/data1/sftp/sftp_username/dev/log" CreatePath="on")
if $fromhost == 'sftp_username' then /var/log/sftp/sftp_username.log
& stop
