Restricting Users To SFTP Plus Setting Up Chrooted SSH/SFTP (Debian Squeeze)

Version 1.0
Author: Falko Timme
Follow me on Twitter

This tutorial describes how to give users chrooted SSH and/or chrooted SFTP access on Debian Squeeze. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of. I will also show how to restrict users to SFTP so that they cannot use SSH (this part is independent from the chroot part of this tutorial).

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I will use the user falko here with the home directory /home/falko. The user falko belongs to the group users. I want to chroot the user to the /home directory.

 

2 Installing OpenSSH

If OpenSSH is not already installed, install it as follows:

apt-get install ssh openssh-server

 

3 Enabling Chrooted SFTP

Enabling SFTP is very easy. Open /etc/ssh/sshd_config...

vi /etc/ssh/sshd_config

... and make sure you have the following line in it:

[...]
Subsystem sftp internal-sftp
[...]

Then add the following stanza at the end of the file (add such a stanza for each user that you want to chroot):

[...]
Match User falko
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Instead of adding a stanza for each user, you can also chroot groups, e.g. as follows:

[...]
Match Group users
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

This would chroot all members of the users group to the /home directory. Please note that all components of the pathname in the ChrootDirectory directive must be root-owned directories that are not writable by any other user or group (see

man 5 sshd_config

). That's why we cannot specify /home/falko, for example, because it is not owned by the user and group root.

Restart OpenSSH:

/etc/init.d/ssh restart

If you chroot multiple users to the same directory, but don't want the users to browse the home directories of the other users, you can change the permissions of each home directory as follows:

chmod 700 /home/falko

Afterwards, you can log in with an SFTP client, such as FileZilla or WinSCP.

Please note that at this point where you have not set up chrooted SSH yet (see the next chapter), the users/groups that you have specified in /etc/ssh/sshd_config will only have SFTP access. SSH will not work for these users because an SSH chroot environment needs some additional files to work (and because we use ForceCommand internal-sftp).

 

4 Enabling Chrooted SSH

Enabling chrooted SSH is a bit more complicated because we must set up a chroot environment with all programs/tools (e.g. /bin/bash, /bin/cp, etc.) that the users should be able to use. This means we must also copy all libraries that these programs need to the chroot jail. You can do this manually with the cp command, and you can find out what libraries a tool needs by using the ldd command, e.g.

ldd /bin/bash

We also have to create some devices such as /dev/null, /dev/zero, /dev/tty, and /dev/urandom inside the chroot jail with the mknod command.

However, this can be a tedious task. Fortunately, there's a script that can do this for us.

First, we need to install some prerequisites:

apt-get install sudo debianutils coreutils

Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root user:

cd /usr/local/sbin
 wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
 chmod 700 /usr/local/sbin/make_chroot_jail.sh

Before we use the script, you might want to add some programs (e.g. such as /usr/bin/vi) to the APPS line of your distribution in that script so that these tools get added to the chroot jail automatically:

vi /usr/local/sbin/make_chroot_jail.sh
[...]
elif [ "$DISTRO" = DEBIAN ]; then
  APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd /usr/bin/vi"
else
[...]

Next we add a symlink /home/home that points back to /home:

cd /home
 ln -s . home

Now we can already use the script. Usage is as follows:

make_chroot_jail.sh username [/path/to/chroot-shell [/path/to/chroot]]

chroot-shell is a special shell created by the script to chroot users. Since OpenSSH now supports chrooting by default, we don't need the script to create a special shell; instead, we can use /bin/bash or /bin/sh.

It doesn't matter if the user is already existing or not. If he's existing, he will be updated; if not, he will be created.

make_chroot_jail.sh falko /bin/bash /home

This will create/update the user falko with the chroot jail /home.

To update all files/libraries in the chroot jail, run

make_chroot_jail.sh update /bin/bash /home

Now we need to configure OpenSSH which is similar to the SFTP configuration. Open /etc/ssh/sshd_config...

vi /etc/ssh/sshd_config

... and add the following stanza at the end of the file (add such a stanza for each user that you want to chroot):

[...]
Match User falko
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no

Instead of adding a stanza for each user, you can also chroot groups, e.g. as follows:

[...]
Match Group users
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no

This would chroot all members of the users group to the /home directory.

The difference to the SFTP configuration is that this time, we must not use the line ForceCommand internal-sftp in the Match stanzas! This makes that users can still use chrooted SFTP (provided you also have the line Subsystem sftp internal-sftp in /etc/ssh/sshd_config), but also chrooted SSH.

Restart OpenSSH:

/etc/init.d/ssh restart

If you chroot multiple users to the same directory, but don't want the users to browse the home directories of the other users, you can change the permissions of each home directory as follows:

chmod 700 /home/falko

Afterwards, you can log in with with an SSH client such as PuTTY.

 

5 Restricting Users To Using SFTP Only

This chapter is independent of chrooting, so it has nothing to do with the chapters 3 and 4 - this means you don't have to set up chrooting as described in chapters 3 and 4 to restrict users to SFTP (but if you have set up chrooted SFTP and SSH for a user and want to disable SSH afterwards, the method shown here works as well; if you have set up chrooted SFTP only, but not chrooted SSH, access is restricted to SFTP anyway as mentioned at the end of chapter 3).

It shows what you can do to make a user use SFTP only and disallow SSH usage for that user. All you have to do is change the user's login shell to /usr/lib/openssh/sftp-server ,e.g.:

usermod -s /usr/lib/openssh/sftp-server falko

/usr/lib/openssh/sftp-server must be listed in /etc/shells as a valid login shell, so if it isn't already listed, please add it to /etc/shells as follows:

echo '/usr/lib/openssh/sftp-server' >> /etc/shells

This has to be done only once, not for every user that you want to restrict to SFTP.

 

6 Links

Share this page:

12 Comment(s)