SFTP Jailed
How to configure a FTP Secured and Jailed
To configure your server to use a jailed user on SFTP you should do:
Edit the sshd_config file
We need to comment the following line:
Subsystem sftp /usr/libexec/openssh/sftp-serverAnd add the uncomment line, your modification will be same as:
# Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftpAlso, at the end of the file we should to add the next lines:
Match Group sftponly ChrootDirectory %h X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftpAfter save all the changes, we must restart the sshd daemon
service sshd restartAdd sftponly group
groupadd sftponly- Add jailed user and add to sftponly group
useradd -m USERNAME passwd USERNAME usermod -aG sftponly,apache USERNAMEIMPORTANT: Create directory and establish correct permissions
chown root:root /home/USERNAME chmod 755 /home/USERNAME mkdir /home/USERNAME/TEST.DOMAIN.COM chown apache:apache /home/USERNAME/TEST.DOMAIN.COM chmod 775 /home/USERNAME/TEST.DOMAIN.COM mkdir /var/www/vhost/TEST.DOMAIN.COM chown apache:apache /var/www/vhost/TEST.DOMAIN.COM chmod 775 /var/www/vhost/TEST.DOMAIN.COMNote: If you have any connection problem please double check the permissions on the folders and check the logs on /var/log/secure
tail -f /var/log/secureMount DocumentRoot path on jailed user home directory
mount -o bind,noatime /var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COMMake the mount point permanent, editing the fstab file:
vi /etc/fstabAdd the mount point at the end of the file:
/var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM none bind,noatime 0 0Save and exit
Test connection:
sftp SERVERIP
Luis Cacho
Senior Container Infrastructure Consultant
Senior Container Infrastructure Consultant at Red Hat | DevOps Practitioner | Kubernetes Enthusiast | Ansible Ninja | Data Science Noob