Due to security threats, Linux developers have adopted a more secure means of files transfer to a server and between different servers known as the file transfer protocol/ssh file transfer protocol (SFTP).
Setting up an SFTP server by implementing chroot feature makes some directories and files inaccessible beyond the home directory just like a Jail environment.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our customers to solve SFTP related tasks.
In this context, we shall look into how to set up SFTP server using chroot feature.
Group creation for SFTP using groupadd command
To begin, you have to create a group for SFTP. Start by assigning a name such as "sftp_users_1" with the command below;
Users addition to Group "sftp_users_1" as well as assigning permissions
Create a new user and add it to the group already created "sftp_users_1". Use the command below;
useradd -m -G sftp_users_1 <your_user_name>
Here you will replace "your_user_name" with your actual username you want to use. To set the password for this user, run the chpasswd command below;
echo "your_user_name:<enter_password>" | chpasswd
You can add existing users to the "sftp_users_1" group, run the usermod command below considering the existing username is "user_2";
usermod -G sftp_users_1 user_2
To set the permissions for the users, run the command beneath;
chown root /home/your_user_name /home/user_2/
To create an upload folder in both user's home directory in addition to setting the correct permission or ownership, run the following commands as per your case;
chown your_user_name /home/your_user_name/upload
chown user_2 /home/user_2/upload
Modifying SFTP configuration file
The location of SFTP configuration is at "/etc/ssh/sshd_config". As a general rule, make a backup of this file before making changes. To backup the file , use the cp command. Next, apply the following attributes as stated below;
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp_users_1
Then save this file and exit.
Note that in the file, the first line "Subsystem" was commented out while implementing a new entry "Subsystem sftp internal-sftp".
Additionally, the other lines and their implication are outlined below;
"Match Group sftp_users_1" signifies that the rules below applies to users belonging to the "sftp_users_1" group.
"ChrootDirectory %h" signifies that users can only change directories within their home directories as they cannot access other users or system's directories.
"ForceCommand internal-sftp" signifies that users can utilize sftp commands only.
Ensure that you restart ssh service with the systemctl command given below to effect changes;
systemctl restart sshd
Testing and verification of the sftp configuration after a chroot jail process
You can make a connection to the Linux server via sftp or putty to test the chroot implementation on the same network of the sftp server. To achieve this, use the users which has been mapped to the group "sftp_users_1" created previously.
You will get a message such as "Write failed: Broken pipe" meaning that users are not permitted to use SSH.
To connect with the server successfully, you can use the following sftp command;
Command such as "put" can be used to upload files to the server. You can also use "get" command to download a file.
You will get a message such as ; "Couldn’t stat remote file: No such file or directory" when you try accessing directories outside the user's home directory or in a different group.