Setting up a per-user chrooted SFTP environment

Introduction
The biggest problem with allowing SFTP access to a system by remote users is that
by default they are not chrooted to their home directories in the way FTP can do
this. OpenSSH provides the SFTP functionality and thus the OpenSSH configuration
is the SFTP configuration. Up until OpenSSH 4.9 it was not possible to chroot specific
users to their own home directory, only to chroot all of them to the same directory.
This is not a desirable situation.

Since OpenSSH 4.9 there has been a built-in SFTP functionality available next to the
bundled sftp-server executable and also has the ability to chroot on a per-user or
per-group basis. This allows more control over SFTP sessions.

Sadly, our standard RHEL5.3 OS does not have an OpenSSH that supports this
functionality, so we will have to compile it ourselves.

I will not go into great detail on how to build the OpenSSH tarball, but in short it
involves setting up an rpmbuild environment (best to do this under your homedir, as
to avoid building as root), configuring the openssh.spec file to exclude x11 and
gnome_askpass (no use for those on a non-X server) and then building an RPM from
the source.

Once these RPM’s are built we can install them over the old ones, most likely you
will have to remove openssh-askpass first, but since our server does not have X this
is not a problem.

I used OpenSSH version 5.5p1 for this, but any version from 4.9 onwards should
work.
Now we have this out of the way, here is how to configure OpenSSH.

Setting up the directories

In order to allow sftp access to a machine, one first needs to create a group where
we can put the users that can access the server. Let’s call it sftpusers:

groupadd sftpusers

Now we create a user:

useradd –s /sbin/nologon –d /incoming –G sftpusers bob

As you can see, we created a user called “bob”, bob is not allowed to log in
normally, is added to the group “sftpusers” we’ve created before and gave him
“/incoming” as homedir, more on that later.
Now we create the toplevel directory, say in /var/ftp/sftp
It is critical to set the permissions as root:root 755 only, anything else will not be
accepted by OpenSSH.

mkdir –m 755 /var/ftp

mkdir –m 755 /var/ftp/sftp
mkdir –m 755 /var/ftp/sftp/bob
mkdir -m 755 /var/ftp/sftp/bob/incoming
chown bob /var/ftp/sftp/bob/incoming

Note: mkdir only applies the mask to the last directory, so we can’t use –p
unfortunately. (You could always use –p but don’t forget to set the
permissions afterwards!)

It’s also useful to note that the users will not be able to write in their top-level
directory for security reasons. This is why we create the incoming dir and give the
user rights to that folder. It will also function as the home directory after the chroot
(hence setting /incoming as the users homedir).

Configuring OpenSSH server

Now all the directories are set up, we will edit the sshd config (/etc/ssh/sshd_config:

At the bottom, change/append the following:

NOTE: This must be at the end of the file

# override default of no subsystems

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

# SFTP chroot setting

Match Group sftpusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /var/ftp/sftp/%u

As you can see, we change the sftp server from the external binary to the internal
one, and set up the chroot environment for the sftpusers group. X11 and TCP
forwarding are disabled for security, and forcecommand internal-sftp ensures the
user cannot login via SSH, only use sftp.

After this file is edited, restart the sshd daemon and that’s it!
Disabling SSH access for normal FTP users.
If you run a normal FTP server next to the SFTP server, depending on the
configuration of the FTP server the FTP users will have SSH access to the server.
This is not desirable; therefore we will add one more directive to the OpenSSH
configuration file:

#Only allow members of the sshusers group

AllowGroups sshusers sftpusers

As you can see, we allow users of the “sshusers” and “sftpusers” group, all other
users are denied access.
This still allows the sftp users to access the server, together with the sshusers
group.

NOTE: Anyone that needs SSH access to the server will have to be member
of the sshusers group, so be sure to add all users that need this acces.
Also, if a user is member of the sftpusers group, this effectively disables
their SSH access, so it’s useless to add a user to both groups.

Notes and HowTo:

The chrootdirectory will chroot the user into the directory we’ve created earlier.
Then, the /incoming homedir will be relative to the chroot, and the server will chdir
into that. The user is then inside the incoming directory, where he/she can upload
and download files. It is not possible to upload files directly to the chroot, only to the
incoming directory.

The SFTP server can be accessed with programs like WinSCP and most FTP clients,
FileZilla works fine for example.