Linux Admin Reference – Chroot FTP Services in Red Hat Enterprise Linux

A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name  and cannot access  files outside the designated directory tree.

Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5) which is shipped in Red Hat enterprise Linux 5.4. If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later.

Important to Notes :

• In RHEL5, once sftp is configured to use chroot, it will not allow users to login via normal ssh including root. This is due to the lack of a “Match” functionality. This is only available in RHEL 6.
• A workaround is to run multiple copies of ssh server ( listening on different port/ipaddress) , one with the default configuration and another instance for chrooted sftp. Please note multiple instances are not supported. Please use RHEL 6 which includes a newer version of openssh that allows chroot environment on a per-user/group basis.

Setting UP chroot SFTP

Step 1. Create a specific chrooted directory.

mkdir /chroot/home

Step 2. Mount it to /home as follows:

mount -o bind /home /chroot/home

Step 3. Edit /etc/ssh/sshd_config as follows:

ChrootDirectory    /chroot
Subsystem     sftp      internal-sftp

Please ensure directories of ChrootDirectory, “/chroot” in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration.

Step 4. Save & Exit

# service sshd restart

 

Configuring chroot SFTP to only for specific users

In order to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the “Match” keyword) in the sshd_config file.

This example will use a “Match” block based on group membership, but other criteria may used in a “Match” block to determine which users are restricted to the ChrootDirectory

Step 1. Edit sshd_config

Comment the original Subsystem entry for sftp and replace it with a new entry:

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Add the following to the end of the /etc/ssh/sshd_config file.

Match Group sftponly
       ChrootDirectory /chroots/%u
       AllowTcpForwarding no
       ForceCommand internal-sftp
       X11Forwarding no

Step 2.  Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)

# groupadd sftponly

NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.

Step 3: Configure or create the accounts of any sftp-only users. NOTE: the specified home directory is relative to the ChrootDirectory.

# usermod -d /myhome -g sftponly -s /bin/false user

or

#useradd -d /myhome -M -g sftponly -s /bin/false user

Step 4: Create the user’s chroot environment and configure directory permissions. Ensure that this entire path is owned by root and only writable by root.

# mkdir -p /chroots/user ; chmod -R 755 /chroots/user

NOTE: In this case, the chroot directory is set to /chroots/%u (%u is replaced by the username of that user) so that each user will have an individual chroot environment.

Users will not be able to see other directories located beneath the root of their chrooted environment.

Step 5: Create the user’s actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).

# mkdir /chroots/user/myhome ; chown user:sftponly /chroots/user/myhome

NOTE: The permission of the user chroot directory that is, /chroots/user/myhome should be 0755.

Step 6:  Restart sshd.

Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

 

Creating a ftp only user with restricted access to a specific directory, in Chroot Environment.

1. Add a user with a shell which doesn’t allow the user to run any commands, ex:”/bin/true”

# useradd abc -s /bin/true

 # passwd abc

By default the home directory of user resides in /home, This can be modified to any directory like “/myftp/public” using the below command

# usermod -d /myftp/public abc

2. Add the below entry in in /etc/shells so that user can login through ftp

/bin/true

Note :  The shell /bin/true cannot be used by any other service like ssh, telnet etc.
3. The user abc can be jailed to /myftp/public and any other subdirectories but not to any directories above /myftp/public. To do this edit /etc/vsftpd/vsftpd.conf and uncomment the following line

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

After doing the above add the user in the /etc/vsftpd/chroot_list and restart vsftpd

# service vsftpd restart