Setup a chrooted SSH sftp account. (Tested on Suse 11 and OpenSSH)
We will create a low privileged sftp directory where lets say the users can upload their stuff without exposing our internal filesystem. First, add a user with a home directory, we don't want this user to access ssh via a shell, only for sftp, that's why we are setting the shell to /bin/false. Chrooted shell is a different chapter, so not discussing it here. And you can confirm the settings of newly added bobuser in /etc/passwd.
Set the password for bobuser, or else you it will not allow you to login if the password is not set.
Add the following settings in /etc/ssh/sshd_config file.
Also add bobuser to the allow users list. This is a good practice to set can use ssh/sftp to login.
Now restart the ssh service. And try connecting.
We will create a low privileged sftp directory where lets say the users can upload their stuff without exposing our internal filesystem. First, add a user with a home directory, we don't want this user to access ssh via a shell, only for sftp, that's why we are setting the shell to /bin/false. Chrooted shell is a different chapter, so not discussing it here. And you can confirm the settings of newly added bobuser in /etc/passwd.
test:~ # useradd -d /home/bobuser -s /bin/false -m bobuser
test:~ # cat /etc/passwd | grep bobuser
bobuser:x:1505:100::/home/bobuser:/bin/false
Set the password for bobuser, or else you it will not allow you to login if the password is not set.
passwd bobuser
Changing password for bobuser.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
Password changed.
Add the following settings in /etc/ssh/sshd_config file.
#Sftp/chroot Settings for bobuser in /etc/ssh/sshd_config
#Change LogLevel to debug and check errors (if any) in /var/log/messages
Subsystem sftp internal-sftp
#Sftp/chroot Settings for bobuser
Match User bobuser
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home/bobuser
Also add bobuser to the allow users list. This is a good practice to set can use ssh/sftp to login.
AllowUsers alexuser bobuser
Now restart the ssh service. And try connecting.
Ouch..We need to read the errors in /var/log/messages, we had already set it to debug level. There are some requirements expected by the ssh daemon
r00ter127:~ # service sshd restart
Shutting down SSH daemon done
Starting SSH daemon done
r00ter127:~ # sftp bobuser@localhost
Connecting to localhost...
Password:
Read from remote host localhost: Connection reset by peer
Couldn't read packet: Connection reset by peer
Set the ownership of the home and parent directories to root. That's a requirement.
Jan 25 11:30:27 r00ter127 sshd[10220]: debug1: PAM: establishing credentials
Jan 25 11:30:27 r00ter127 sshd[10220]: fatal: bad ownership or modes for chroot directory "/home/bobuser"
We are set with the permissions now.
test:~ # ls -ld /home/bobuser/
drwxr-xr-x 5 bobuser users 4096 Jun 13 12:21 /home/bobuser/
test:~ # chown root:root /home/bobuser
test:~ # ls -ld /home/bobuser/
drwxr-xr-x 5 root root 4096 Jun 13 12:21 /home/bobuser/
If you get the above error, then it means there is some problem invoking the sftp server. And the ssh logs are not very helpful in this regard. Make sure you are using the internal-sftp:
r00ter127:~ # sftp bobuser@localhost
Connecting to localhost...
Password:
subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer
And then.. you are done.
Subsystem sftp internal-sftp
...
ForceCommand internal-sftp
r00ter127:~ # sftp bobuser@localhost
Connecting to localhost...
Password:
sftp> pwd
Remote working directory: /