Scenario: Callimachus works at Miskatonic University. Callimachus is working on a project that requires the placement of data files onto a remote server owned by Permissible Data Corp. (PDC). PDC will be processing the files with an automated script and returning them to Callimachus.
You'll need some users that will only be able to perform chrooted SFTP. You'll probably want to place them into a group for simplfied administration.
#create SFTP only group
groupadd sftponlySince we'll be using this SFTP user group to allow some of our libraries to upload files for automated processing, we'll call the SFTP directory /incoming, to identify the functional role of the directory in the automated processing chain.
# create user miskatonic, assign to STFP group, and disable SSH access
useradd -g sftponly -d /incoming -s /sbin/nologin miskatonic Set up the password for user miskatonic
passwd miskatonicConfirm that you've set up this user properly
grep miskatonic /etc/passwd
# miskatonic:x:500:500::/incoming:/sbin/nologinSetting up the chroot jail environment will require the directory path be created to act as the SFTP user's home directory, a number of modifications to the SSH configuration, and some permissions adjustments.
Let's start with some SSH configuration changes. You'll also need to enable the internal-sftp server. To do so, you'll need to modify the configuration for SSH.
nano /etc/ssh/sshd_configComment out the default SFTP server and add the internal SFTP to the SSH daemon config file.
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftpYou'll want to place any users that are assigned to group sftponly into the chrooted jail. You might also want to enable passwordless SFTP access with SSH keys. To make this happen, add a matchpoint to the SSH configuration file and then define the directives for the group.
Match Group sftponly
ChrootDirectory /sftp/%u #%u indicates the user
AuthorizedKeysFile /sftp/%u/.ssh/authorized_keys # SFTP-only user's public key
ForceCommand internal-sftpYou'll also want to ensure that key-based logins are enabled in the SSH configuration. Find the following lines in /etc/ssh/sshd_config and make sure they are present and uncomments.
Pubkey Authentication yes
RSAAuthentication yesCreate the substitute /home directory for your SFTP-only users.
mkdir /sftpEstablish the SFTP-only user directory in the new path. This will become the root / for the SFTP-only users.
mkdir /sftp/miskatonicSince we want our SFTP-only users to see the /incoming directoy when they cd, we'll need to create it. This will be the location that they place any uploaded files to be processed by the automated script.
mkdir /sftp/miskatonic/incomingSet up the proper permission on the newly created directory for the SFTP-only user
chown miskatonic:sftponly /sftp/miskatonic/incoming
# root should continue to own /sftp/miskatonic and /sftpSet up the /.ssh to hold the public keys that will be granted access to an SFTP-only user's pseudo-home directory.
cd /sftp/miskatonic/
mkdir .ssh
cd /sftp/miskatonic/.ssh
nano authorized_keys # add the public keys to file and saveSet proper permissions for key-based SSH logins
chown -R miskatonic:miskatonic /sftp/miskatonic/.ssh
chmod 700 /sftp/miskatonic/.ssh
chmod 600 /sftp/miskatonic/.ssh/authorized_keysRestart SSH to pull in the changes
service sshd restartThese are steps that need to be taken on the client. You'll need to generate a key-pair for the key-based SSH authentication. Most likely, you'll want to place the sftp-only key into your user's /.ssh/ directory.
cd /home/callimachus/.ssh
ssh-keygen -t rsa -b 4096 # Increase bits to 4096 (brute force hardening)
# You can change the name of the keypair to identify its role or function.
# Keep an eye for 'Your public key has been saved in /home/callimachus/.ssh/FILENAME.pub'You'll need to copy FILENAME.pub to the remote server's /sftp/miskatonic/.ssh/authorized_keys file.
Test the connection to the SFTP-only directory from your client.
# if using key-based SSH login
sftp -i /path/to/private-key.pem miskatonic@IPADDRESS # If not using key-based SSH login:
sftp miskatonic@IPADDRESS
# miskatonic@IPADDRESS password:
sftp> pwd
# Remote working directory: /incoming