How to Set Up the SFTP Chroot Jail

Introduction

Before we begin talking about how to set up the SFTP Chroot Jail. Let’s briefly understand - What is SFTP?

SFTP (Secure File Transfer Protocol) is a secure method to transfer files over the internet. It combines the features of FTP (File Transfer Protocol) with encryption to provide a safe and reliable way to exchange data. SFTP uses SSH (Secure Shell) to encrypt the data during transmission, ensuring privacy and preventing unauthorized access.

With SFTP, users can securely upload, download, and manage files on remote servers. Businesses and individuals use SFTP for secure file sharing, backup, and remote access to files. It is a widely used and trusted solution for protecting sensitive data during file transfer.

In this tutorial, you will set up the SFTP Chroot Jail. We will also address some of the FAQs related to the SFTP installation.

Advantages of SFTP

Secure File Transfer: SFTP ensures data privacy during file transfer by encrypting the information using SSH, protecting it from unauthorized access.
Data Integrity: SFTP uses checksums to verify file integrity, ensuring that transferred files remain intact and uncorrupted.
Authentication: SFTP employs strong authentication methods, providing secure access control to remote servers and preventing unauthorized file transfers.
Platform Agnostic: SFTP is compatible with various operating systems and platforms, allowing seamless file transfers across different devices and networks.
Reliability: SFTP's error-checking mechanisms and reliable data delivery ensure that files are transferred accurately and efficiently, even in unstable network conditions.

Step 1- Creating an SFTP Group

1) Create a new group and add all your chrooted users to this group to avoid configuring the OpenSSH server for every single user.

2) Next, run the below groupadd command. It will create the sftponly user group.

sudo groupadd sftponly

💡

You can name the group as per your wish.

Step 2 - Adding Users to SFTP Group

1) Now add the users that you want to restrict to the sftponly group.

2) Now, if this is a new setup and the user does not exist, you will have to create a new user account by:

sudo useradd -g sftponly -s /bin/false -m -d /home/username username

Here, -g sftponly option will add the user to sftponly group.
Set the login shell to /bin/false, this way user will not be able to login to server via SSH.
The -m -d /home/username options will tell useradd to create user home directory.

3) You will now set a strong password using the following command:

sudo passwd username

4) If the user you want to restrict exist already, you need to add the user to sftponly group and change the user’s shell:

sudo usermod -G sftponly -s /bin/false username2

5) Root must be the owner of the user home directory with 755 permission:

sudo chown root: /home/username
sudo chmod 755 /home/username

6) Users will not be able to create new files and directories as their home directories are owned by root. As there are no directories in the user's home, you will have to create the following directories:

sudo mkdir /home/username/{public_html,uploads}
sudo chmod 755 /home/username/{public_html,uploads}
sudo chown username:sftponly /home/username/{public_html,uploads}

7) These changes may lead to permission issues if a web application is using the user’s public_html directory as the document root.

Step 3 - Configuring the SSH

1) SFTP is a subsystem of the SSH and it supports all SSH authentication mechanisms.

Next, open the SSH configuration file /etc/ssh/sshd_config with your text editor.

sudo nano /etc/ssh/sshd_config

2) Now, search for the line starting with Subsystem sftp. It is usually present at the end of the file. If the line starts with a hash #. Then, remove the hash # and modify it to look like below:

                                 /etc/ssh/sshd_config
Subsystem sftp internal-sftp

At the end of the file, the below block of settings:

                                /etc/ssh/sshd_config
Match Group sftponly
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

The ChrootDirectory directive shows the path to chroot directory. Also, %h means the user's home directory. Only root users should have access to this directory, and it should not be writable by any other user or group.

To avoid any issues with SSH, you should modify it very carefully.

3) Now save the file and restart the SSH service to apply the changes:

sudo systemctl restart ssh

4) In both CentOS and Fedora, ssh service is known as sshd:

sudo systemctl restart sshd

Step 4 - Testing the Configuration

1) Once the SFTP configuration is done, you can log in to the remote machine through SFTP using the credentials of the chrooted user.

Now, open the SFTP connection using the following command:

sftp [email protected]

2) You will get a prompt to enter the user password. After connecting, the remote server will display a confirmation message and the sftp> prompt:

Output

[email protected]'s password:
sftp>

3) Next, run the pwd command like below and if everything works as expected Then, the command will return /:

Output

sftp> pwd
Remote working directory: /

4) You can also list the remote files and directories. Do it using the ls command. Next, you will see the directories, you previously created:

Output

sftp> ls
public_html  uploads

FAQs relating to the SFTP Installation

Why is it important to set up a Chroot Jail for SFTP?

Setting up a Chroot Jail adds an additional layer of security, ensuring that SFTP users can only access their designated directory and not the rest of the system, guarding against unauthorized access.

How do I install OpenSSH server on Ubuntu 20.04?

You can install the OpenSSH server on Ubuntu 20.04 by running the command sudo apt-get install openssh-server in the terminal.

How do I create an SFTP-only user?

Create an SFTP-only user by running the command sudo adduser --shell /usr/bin/nologin <username> to restrict the user to SFTP access only.

How do I configure the Chroot Jail?

Configure the Chroot Jail by modifying the sshd_config file (usually located in /etc/ssh/sshd_config) and adding the necessary configurations. For example, specifying ChrootDirectory /path/to/directory restricts users to that directory.

What permissions should be set for the Chroot Jail directory?

Set the permissions of the Chroot Jail directory to be owned by root and not writable by other users. Use the command sudo chown root:root /path/to/directory and sudo chmod 755 /path/to/directory.

How do I restart the OpenSSH server after making configuration changes?

You can restart the OpenSSH server by running the command sudo systemctl restart sshd.

What should I do if I encounter permission issues within the Chroot Jail?

Ensure that the permissions for files and directories within the Chroot Jail are properly set, and that the SFTP user has the necessary permissions for accessing and modifying files.