SFTP

From DikapediaV2
Jump to: navigation, search


SFTP - Secure File Transfer Protocol



To open an SFTP connection to a remote system, use the sftp command followed by the remote server username and the IP address or domain name:

sftp remote_username@server_ip_or_hostname


Once connected, you will be presented with the sftp prompt, and you can start interacting with the remote machine:

# To 'get' Download file usin SFTP from remote server to your local machine.
sftp> get [file]

# To 'put Upload file using SFTP from local machine to remote server.
sftp> put [file]

# Other useful commands:
sftp> help
sftp> pwd
sftp> ls
sftp> cd /tmp
sftp> cd lpwd                 # To print local working directory
sftp> mkdir directory_name    # Create a new directory on remote server
sftp> rename [file]           # Rename a file on remote server


Detailed steps of restricted SFTP-only access to a single directory



There are many similar cases that customers (usually Wordpress users ) want to restrict some of their users only have the access to a single directory. I would like to put them together in case some of our customers ask for the detail steps rather than refer to the third-party website:

1. Create a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

$ sudo su


  1. groupadd sftpusers

2. Create Users (or Modify Existing User)

Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).

  1. useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser


  1. passwd guestuser (eg: 12345678 )


Verify that the user got created properly.

  1. grep guestuser /etc/passwd


guestuser:x:500:500::/incoming:/sbin/nologin


If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:

  1. usermod -g sftpusers -d /incoming -s /sbin/nologin <current user name>


3. Setup sftp-server Subsystem in sshd_config


You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server). Modify the the /etc/ssh/sshd_config file and comment out the following line:

  1. Subsystem sftp /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file

  1. Subsystem sftp /usr/libexec/openssh/sftp-server


Subsystem sftp internal-sftp


4. Specify Chroot Directory for a Group


You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config


Match Group sftpusers

   ChrootDirectory /sftp/%u
   ForceCommand internal-sftp
   PasswordAuthentication yes


So this configuration will allow this current user “guestuser” sftp to the instance with password instead of using the same ssh key pair.


5. Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).

  1. mkdir /sftp

Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.


  1. mkdir /sftp/guestuser


So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.


So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.


  1. mkdir /sftp/guestuser/incoming


6. Setup Appropriate Permission


For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.


Set the owenership to the user, and group to the sftpusers group as shown below.


  1. chown guestuser:sftpusers /sftp/guestuser/incoming


The permission will look like the following for the incoming directory.

  1. ls -ld /sftp/guestuser/incoming

drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming


The permission will look like the following for the /sftp/guestuser directory


  1. ls -ld /sftp/guestuser

drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

  1. ls -ld /sftp

drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp






For WordPress user:


Mount-> the source directory /sftp/guestuser/ to the target directory /www/var/html/mysite


  1. chown guestuser:sftpusers /www/var/html/mysite


Check the mount:

  1. mount -l
  1. mount -R /var/www/html/mysite /sftp/guestuser/incoming/


7. Restart sshd and Test Chroot SFTP


Restart sshd:

  1. service sshd restart


Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory that mounted on /var/www/html/mysite.


Connect the instance:

$ sftp guestuser@<IP address>

guestuser@<IP address>'s password: ********


Refer:

http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/




[+]Click here for more info/examples