SFTP Chroot Jail on RHEL6 and CentOS6

Finally RedHat has stepped into the 21st century with the introduction of OpenSSH 5.3 in RHEL 6 /CentOS 6. Now we can finally build a working SFTP chroot jail within RedHat without having to build custom rpms or compile SSHd from source. This article will guide you through setting up SSHd and a couple of users into a completely jailed STFP environment.

First let’s discussed what we are trying to achieve. We are going to setup two users for web content uploads that will be locked into their respective /var/www/vhosts/%u directory structures. There are basically four steps to getting this setup.

  • design the layout you want to use for the users
  • setup the user and group accounts
  • make changes to the sshd configuration
  • do permissions cleanup and testing

Layout design

For this example we are setting up two users for website content updates. Each user will have a directory structure that will be tied to a domain. They can edit the files within that structure but can not see or edit anything outside that structure.

We will be setting up the two users – bob and ted, each will have a directory off /var/www/vhosts/ to managed their respective sites. We will create a group call ‘sftponly’ which will include both these users. These accounts will only have sftp access and will not have a working shell (ie standard SSH access).

Setup directory structure for users by adding the following directories as the user root.

      /var/www/vhosts/bob/site1/

     /var/www/vhosts/ted/site1/

Note how each user has a directory to match their user name, then a content directory (in this case named site1).

User and Group setup

First you will want to establish the sftponly group

     # groupadd sftponly

Then create the users with the correct home directories and group

    # useradd -d /var/www/vhosts/bob -s /bin/false -G sftponly bob

     # useradd -d /var/www/vhosts/ted -s /bin/false -G sftponly ted

Don’t forget at this point to also add password to these new accounts.

SSHd configuration changes

Now we need to make changes in /etc/ssh/sshd_config to enable SFTP chroot jails in SSH.

Comment out the following line in /etc/ssh/sshd_config:

      #  Subsystem sftp /usr/lib/openssh/sftp-server

and replace it with this line:

     Subsystem sftp internal-sftp

Then add the following set of lines to the very bottom of the file:

     Match Group sftponly

     ChrootDirectory /var/www/vhosts/%u

     X11Forwarding no

     AllowTCPForwarding no

     ForceCommand internal-sftp

This creates a special login group that then chroot jailed all users in that group into their own home directory.

Once these file changes are saved you will need to restart SSHd for the changes to take effect, using the following command:

        # service sshd restart

 Permissions cleanup and testing

Last issue to address is the permissions settings, for this example the directories /var/www/vhosts/bob and /var/www/vhosts/ted should both be owned by root. The directory /var/www/vhosts/ted/site1 should be owned by ted and the directory /var/www/vhosts/bob/site1 should be owned by bob.

You can then test by trying to SFTP login and see what can be done:

If done correctly you can not upload to any directory other than /site1

$ sftp bob@1.2.3.4
bob@1.2.3.4′s password:
Connected to 1.2.3.4.
sftp> pwd
Remote working directory: /
sftp> cd site1
sftp> put index.html
Uploading index.html to /site1/index.html
index.html                                    100%    0     0.0KB/s   00:00
sftp> ls
index.html
sftp> exit

 

Selinux could cause issues here if it is enabled. If all your permission are correct and you can still not write to the site1 folder then check selinu and use ‘setenforce = 0′ to get this demo working.

You should now have two users that are completely jailed off from each other with limited abilities to do any damage to your server.