Packetwatch.net

OpenSSH chrooted SFTP using public keys in Red Hat Enterprise Linux



Last modified: Sep. 11, 2009

Contents
1 - Summary
2 - Service configuration
5 - Create new group and user
6 - Service check


1 - Summary

This guide will show how to configure OpenSSH with chrooted SFTP using public
key authentication in Red Hat Enterprise Linux. This setup is only going to
allow for sftp logins and not ssh access to the shell using public key or
password authentication. This has been tested using OpenSSH 5.0 portable in
Red Hat Enterprise Linux 4.


2 - Service configuration

Configure the SSH service. SSH is located in /usr/local/etc on this server
since it was compiled from source.
# su - root
# cd /usr/local/etc
# cp sshd_config sshd_config.original

Make sure the following lines are in the configuration file. This will allow
public key and password authentication. It will also be chrooted for SFTP
connections for the users in the group named external. The users in the group
named external will only have access to their directory which is located in
the /ftp directory.

  AllowGroups external
  AuthorizedKeysFile      .ssh/authorized_keys
  PasswordAuthentication yes
  PubkeyAuthentication yes
  Subsystem       sftp    internal-sftp
  Match Group external
      ForceCommand internal-sftp
      ChrootDirectory /ftp/%u

# vi sshd_config
# service sshd restart
Stopping sshd:[  OK  ]
Starting sshd:[  OK  ]


3 - Create new group and user

Create the new group and user along with the directory permissions. These
commands will be run as the root user. The password expiration will be disabled
since the users don't have ssh access to the shell. The user will login and
their home diretory will show up as /. Also, with this setup the user has read
access to their home directory and full access to the Uploads directory.
# groupadd external
# cd /
# mkdir /ftp
# chown -R root:root /ftp
# chmod -R 755 /ftp
# useradd -c 'Test User' -G external -M -s /sbin/nologin user
# chage -m 0 -M 99999 -I -1 -E -1 -W 7 user
# passwd user
Changing password for user user.
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
# usermod -d / user
# mkdir /ftp/user
# mkdir /ftp/user/.ssh
# mkdir /ftp/user/Uploads
# chown -R user:user /ftp/user/.ssh
# chown -R user:user /ftp/user/Uploads
# chmod -R 777 /ftp/user/Uploads


4 - Create public key on workstation

Create a public key on the client workstation. We will create an RSA key and
not give the key a passphrase in this example.
# cd ~
# ssh-keygen -q -b 4096 -t rsa
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Next, get the public key (/home/user/.ssh/id_rsa.pub) to the server.


5 - Configure server to use public key

Stay as the root user and copy the public key to the following locations and
set the permissions.
# mkdir /.ssh
# cat id_rsa.pub >> /.ssh/authorized_keys
# chmod 644 /.ssh/authorized_keys
# cat id_rsa.pub > /ftp/user/.ssh/authorized_keys
# chown -R user:user /ftp/user/.ssh/authorized_keys
# chmod 400 /ftp/user/.ssh/authorized_keys


6 - Sample session

From the client workstation test out sftp using the account that was just
created on the server.
# sftp user@server.test.com
Connecting to server.test.com...
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *

THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
  ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
 PUNISHABLE UNDER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS
 THIS SYSTEM, DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR
  KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE
 HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
                  TO MONITORING AND AUDITING.

* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
sftp> ls -la
drwxr-xr-x    4 0        0            4096 Sep 11 15:42 .
drwxr-xr-x    4 0        0            4096 Sep 11 15:42 ..
drwxr-xr-x    2 520      522          4096 Sep 11 16:07 .ssh
drwxrwxrwx    2 520      522          4096 Sep 11 15:42 Uploads
sftp> pwd
Remote working directory: /
sftp> cd ..
sftp> pwd
Remote working directory: /
sftp> ls -la .ssh
drwxr-xr-x    2 520      522          4096 Sep 11 16:07 .
drwxr-xr-x    4 0        0            4096 Sep 11 15:42 ..
-r--------    1 520      522           753 Sep 11 16:07 authorized_keys
sftp> bye


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.