How to restrict users accessing files under respective path using sftp

Latest response

Hi,

I have created a path for chroot with no ssh and can only sftp for the user to put and get files.

I have created a folders for 5 users and under that I have created sub folders like deploy and logs.

Whereas, when I sftp to this users, i want the user under the
deploy dir -> to put files and not to get files
log dir -> To get files and not to put files ..
And have a common user -> to access all files ...

how can I make this possible.

Responses

How to set up SFTP to chroot only for specific users SOLUTION VERIFIED - Updated March 27 2019 at 10:47 AM - English Environment Red Hat Enterprise Linux (RHEL) 6 Red Hat Enterprise Linux (RHEL) 7 Issue How to set up sftp to chroot only for specific users How to set up sftp so that a user can't get out of their home directory, ensuring no other users are affected Preserve normal ssh/sftp functionality for most other users Support for sftp/scp account jails in openssh server I am facing problems for configuring sftp server and need assistance for the same. Resolution In order to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the "Match" keyword) in the sshd_config file.

This example will use a "Match" block based on group membership, but other criteria may used in a "Match" block to determine which users are restricted to the ChrootDirectory (see "man sshd_config" for more details).

Edit sshd_config

Comment the original Subsystem entry for sftp and replace it with a new entry: Raw

Subsystem sftp /usr/libexec/openssh/sftp-server

Subsystem sftp internal-sftp Add the following to the end of the /etc/ssh/sshd_config file. Raw Match Group sftponly ChrootDirectory /chroots/%u AllowTcpForwarding no ForceCommand internal-sftp X11Forwarding no Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)

Raw

groupadd sftponly

NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.

Configure or create the accounts of any sftp-only users. NOTE: the specified home directory "/myhome" is relative to the ChrootDirectory.

a. If user already exists,

Raw

usermod -g sftponly -s /bin/false user

b. If user doesn't exist, create new user

Raw

useradd -d /myhome -M -g sftponly -s /bin/false user

The user's home does have to be at the base of the root, due to the way the chroot is set up. Attempting to set a user's home as /chroot/user/myhome will cause issues as this would expand to /chroot/user/chroot/user/myhome outside of the chroot, while /chroot/user/myhome does not exist in the chrooted environment, only /myhome.

In case you newly create the "user", set its pasword

Raw

passwd user

Create the user's chroot environment and configure directory permissions. Ensure that this entire path is owned by root and only writable by root.

Raw

mkdir -p /chroots/user ; chmod -R 755 /chroots/user

NOTE: In this case, the chroot directory is set to /chroots/%u (%u is replaced by the username of that user) so that each user will have an individual chroot environment. So the /chroots/user (indicated by the /chroots/%u) becomes the base root / when the user logs in.

NOTE : The ownership of the chroot base directory should be root:root and anything else will block chroot sftp access.

If its not root:root, then the below command should be executed for chroot-sftp operation :-

Raw

chown root:root /chroots/user

Users will not be able to see other directories located beneath the root of their chrooted environment.

Create the user's actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).

Raw

mkdir /chroots/user/myhome ; chown user:sftponly /chroots/user/myhome

NOTE: The permission of the user chroot directory that is, /chroots/user/myhome should be 0755.

If you want to use a timezone of the host machine in chrooted environment, you should do following command. An example command tries to set a timezone to Asia/Tokyo(UTC+9:00).

Raw

mkdir /chroots/user/etc/; cp /usr/share/zoneinfo/Asia/Tokyo /chroots/user/etc/localtime

Restart sshd.

Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

When the user logs in they will see their working directory as /myhome (which is actually /chroots/user/myhome).