Junyangz's docs
  • Introduction
  • Ops
    • Linux-tips
    • MySQL-5.7.20
    • Upgrading MySQL
    • Upgrade OpenSSH to 7.7p1 in CentOS 6
    • Linux PERSISTENT NAMING
    • Use Kafka with Flume - CRS2
    • Setup Chroot SFTP in CentOS
    • Setup software RAID-5 in CentOS
    • SSH-port-forwarding
    • Elasticsearch In Production
    • ELK-simple-tutorial
    • Ansible Playbooks for Apache Kafka in production
    • GitHub Actions depoly Hexo
    • Test HTTP3/QUIC docker
    • Docker tutorial
    • SFTP-auth-pubkey
    • Linux Process Substitution
  • Note
    • Interview
      • interview-prepare
      • 2020-campus-recruiting
    • Android Tips
    • MacOS tips
    • Secret knowledge
    • GPG-Note
    • ud185
    • ud185-2
    • Introducing Tensorflow Federated
    • Tensorflow Federated
    • Expert Python Programing
    • What happens when zh_CN
    • TILGC
    • VScode keyboard shortcuts
    • Abseil Python
    • Latex Note
    • Git Cheatsheet
    • Study Smarter Not Harder
    • Machine Learning Interviews
    • 深度学习中的优化
    • Beej's Guide to Network Programming Note
      • ch4
      • ch5
      • ch6
      • ch7
  • [Share]
    • What to do after what to do
    • Truman is everywhere
    • Way2outer
    • 未来十五年
  • Quote
Powered by GitBook
On this page
  • Chroot SFTP Environment
  • Setup in CentOS
  • Create a New Group
  • Create Users
  • Setup sftp-server Subsystem in sshd_config
  • Create sftp Home Directory
  • Restart sshd and Test Chroot SFTP
  • Script for Setup Chroot SFTP in CentOS 6.5
  • Log internal-sftp chroot jailed users
  • Reference

Was this helpful?

  1. Ops

Setup Chroot SFTP in CentOS

First version AT 2018-08-25 09:39:36 Updated AT 2019-11-08 14:36:29 for user separate syslog configuration.

Set up an account that will be used only to transfer files(and not to ssh to the system), you should setup SFTP Chroot Jail as explained in this article.

If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.

Chroot SFTP Environment

chroot A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. Chroot SFTP means that the user can sftp to the system, and view only the directory that you’ve designated to perform sftp.

Setup in CentOS

Test environment at CentOS 6.5.

Create a New Group

groupadd sftpusers

Create Users

useradd -g sftpusers -s /sbin/nologin sftpuser

passwd sftpuser

Setup sftp-server Subsystem in sshd_config

Subsystem  sftp  internal-sftp
Match Group sftpusers
    ChrootDirectory /sftp/%u
    X11Forwarding no
    AllowTCPForwarding no
    PasswordAuthentication yes

Create sftp Home Directory

mkdir -p /sftp/sftpuser/home
chown sftpuser:sftpusers /sftp/sftpuser/home

Restart sshd and Test Chroot SFTP

service sshd restart

Script for Setup Chroot SFTP in CentOS 6.5

#!/bin/bash
#@Junyangz AT 2018-08-25 09:41:50 for configure sftp and add sftp users.

#@Configure part
#########################
sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config
#sed -i "/^#Subsystem/aSubsystem sftp internal-sftp" /etc/ssh/sshd_config
groupadd sftpusers
#add follow to /etc/ssh/sshd_config
cat >>/etc/ssh/sshd_config <<EOF
Subsystem sftp internal-sftp
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Match Group sftpusers
        ChrootDirectory /data1/sftp/%u
        ForceCommand internal-sftp -f LOCAL0 -l INFO
        X11Forwarding no
        AllowTCPForwarding no
        PasswordAuthentication yes
EOF
service sshd restart
#@Add user part
#########################
# create an sftp user and jail them, using username, password and CHROOT path provided as script args.
if [ -z "$2" ]; then
    echo "Usage: add-sftp-user.sh username password /data1"
    echo "Create sftp user with chroot at /data1/sftp/username and work directory at home."
    exit 1
fi
username=$1 # get from script params
egrep "^$username" /etc/passwd >/dev/null
if [ $? -eq 0 ]; then
    echo "$username exists!"
    exit 1
else
password=$2 # get this from script params
#CHROOT_DIR=$3 # get this from script params
#useradd -g sftpusers -d $CHROOT_DIR/sftp/$username -s /sbin/nologin $username
useradd -g sftpusers -M -s /sbin/nologin $username
[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"
echo "$username:$password" | chpasswd
usermod -d /upload $username
mkdir -p /data1/sftp/$username/upload
chown -R $username:sftpusers /data1/sftp/$username/upload
#chmod 755 $CHROOT_DIR/sftp/$username/upload
fi

Log internal-sftp chroot jailed users

  • add to /etc/ssh/sshd_config

# Subsystem sftp internal-sftp -l VERBOSE -f LOCAL0
# only need in Match group block
ForceCommand internal-sftp -f LOCAL0 -l INFO
  • add to /etc/rsyslog.d/sftp.conf

# add sftp chroot log
# %u represent sftp username
# local0.* /var/log/sftp.log
# $AddUnixListenSocket /data1/sftp/%u/dev/log

#===above is old config===#

input(type="imuxsock" HostName="sftp_username" Socket="/data1/sftp/sftp_username/dev/log" CreatePath="on")
if $fromhost == 'sftp_username' then /var/log/sftp/sftp_username.log
& stop
  • mkdir for socket file and touch sftp log

#%u represent sftp username
mkdir /data1/sftp/%u/dev
chown %u:sftpusers /data1/sftp/%u/dev
mkdir /var/log/sftp/
touch /var/log/sftp/sftp_username.log
  • restart sshd and rsyslog

service sshd restart
service rsyslog restart

Reference

PreviousUse Kafka with Flume - CRS2NextSetup software RAID-5 in CentOS

Last updated 2 years ago

Was this helpful?

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
SFTP chroot
How to configure an sftp server with restricted chroot users with ssh keys
SFTP Guide - IBM
SFTP log