Configure OpenSSH to restrict access with SFTP Jails

Because by default settings SSH users will be able to view the entire filesystem which is not desirable.

Every now and then there may be a need to give your users the ability to securely upload files to your web server. This is typically done using Secure File Transfer Protocol (SFTP), which uses SSH to provide encryption. In such scenario, you may have to give your users SSH logins.

That’s where the trouble begins. By default settings, SSH users will be able to view the entire filesystem. This is not what you want. Don’t you?

Restrict Access to Home Directories with SFTP Jails

In this Terminal Tuts, we are going to guide you on how to configure OpenSSH to restrict access to the home directories.

1. Configuring OpenSSH

Before modifying the sshd config file, we advise taking a backup just in case you needed the original later on. Launch Terminal and enter the following command:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.Backup

Let’s start modifying it. Open the sshd_config file using vim.

sudo vim /etc/ssh/sshd_config

Add the following line. If there is an existing subsystem sftp line, go ahead and modify it to match it.

Subsystem sftp internal-sftp

Next, add the following lines to the end of the file.

Match group securegroup
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no

The final edited file should look like this.

Edited File
Edited File

When you are done, save and close the file.

Restart SSH for the new settings to take effect.

sudo systemctl restart sshd

2. Creating Group & User

Let’s create a group so that you can simplify managing the permissions. To create a new group for users:

sudo addgroup --system securegroup

Create a user named ‘sftpuser’ using adduser command and add it to the securegroup we created.

sudo adduser sftpuser --ingroup securegroup

Go ahead and add existing users to the group using usermod command.

sudo usermod -g securegroup sftpuser

3. Managing Permissions

The fun part begins now. We are going to restrict writing access to the HOME folder of a jailed SFTP user.

Start by changing the sftp user Home directory ownership using chown command.

sudo chown root:root /home/sftpuser

Modify the sftp user home directory permissions by using chmod command.

sudo chmod 755 /home/sftpuser

Now we are going to create a folder for sftpuser:

sudo cd /home/sftpuser
sudo mkdir uploadfiles

Modify the folder ownership.

sudo chown sftpuser:securegroup uploadfiles

The user should be able to access the account using SFTP and can upload documents to a given directory.

4. Verify SFTP

To verify everything is working as intended, use an FTP client like Filezilla and login to the server. Enter server IP, user name and password. Port should be 22. You should not be able to access the home directory with the restricted user account.

SFTP
SFTP

5. Additional Configurations

During a situation where your client wants to upload files/images to someplace in the web document root, you can mount the needed folder to sftpuser folder. For example, we are going to mount /var/www/html/webapp/pub/media to sftpuser folder.

Our Media folder can be seen as follows:

Media Folder
Media Folder

Here we are using a bind mount to mount folder.

sudo mount -o bind /var/www/html/webapp/pub/media   /home/sftpuser/uploadfiles/

This will be temporary and permission will reset after reboot. To make it permanent, you need to edit the fstab file as follows:

sudo vim /etc/fstab

Add the following line to file.

/var/www/html/webapp/pub/media      /home/sftpuser/uploadfiles/   none    bind    0

Save and exit the file. Try using your favorite SFTP client and log in as a sftpuser. You should be able to see the media folder contents.

After Directory Mount
After Directory Mount

That’s it for today. You should have by now learned how to configure and verify a Jail SFTP user. Feel free to ask any questions you have in the comments below.

Darshana
Hey! I'm Darshana, a Linux / DevOps Engineer and also a contributor to FOSS Linux. I enjoy working on various kind of Linux distributions and cloud technologies. During my free time, I love to swim and hike across nature trails. Linux is my love and I'm here to share all my learnings with all of you! Hope you enjoyed reading my article.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

24,261FansLike
192FollowersFollow

LATEST ARTICLES

clean virus ubuntu live CD
In this tutorial, we are going to show you how to clean your Windows machine from infected viruses using an Ubuntu live USB or CD and the ClamAV antivirus. The ClamAV is a free, open-source antivirus that can be used on Ubuntu.
Free up hard disk space ubuntu
Hard disk space can easily get filled up with cached package files, old kernels, and other obsolete files that occupy unwanted hard disk space. Here are top five best and safer ways to clean and free up hard disk space in Ubuntu. We show you Terminal and GUI way of cleaning up system.
essential linux commands
Last week, we shared with you several "cool and fun" commands to get comfortable and confident with the Linux command-line. In our quest to further aid Linux users with mastery of the command line, or CLI, we present you with a variety of command-line utilities essential for all Linux users, regardless of proficiency level.