SFTP Jailed

How to configure a FTP Secured and Jailed

To configure your server to use a jailed user on SFTP you should do:

  1. Edit the sshd_config file

    We need to comment the following line:

    Subsystem sftp /usr/libexec/openssh/sftp-server
    

    And add the uncomment line, your modification will be same as:

    # Subsystem sftp /usr/libexec/openssh/sftp-server
    Subsystem sftp internal-sftp
    

    Also, at the end of the file we should to add the next lines:

    Match Group sftponly
    ChrootDirectory %h
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp
    

    After save all the changes, we must restart the sshd daemon

    service sshd restart
    
  2. Add sftponly group

    groupadd sftponly
    
    1. Add jailed user and add to sftponly group
    useradd -m USERNAME
    passwd USERNAME
    usermod -aG sftponly,apache USERNAME
    
  3. IMPORTANT: Create directory and establish correct permissions

    chown root:root /home/USERNAME
    chmod 755 /home/USERNAME
    mkdir /home/USERNAME/TEST.DOMAIN.COM
    chown apache:apache /home/USERNAME/TEST.DOMAIN.COM
    chmod 775 /home/USERNAME/TEST.DOMAIN.COM
    mkdir /var/www/vhost/TEST.DOMAIN.COM
    chown apache:apache /var/www/vhost/TEST.DOMAIN.COM
    chmod 775 /var/www/vhost/TEST.DOMAIN.COM
    

    Note: If you have any connection problem please double check the permissions on the folders and check the logs on /var/log/secure

    tail -f /var/log/secure
    
  4. Mount DocumentRoot path on jailed user home directory

    mount -o bind,noatime /var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM
    
  5. Make the mount point permanent, editing the fstab file:

    vi /etc/fstab
    

    Add the mount point at the end of the file:

    /var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM none bind,noatime 0 0
    

    Save and exit

  6. Test connection:

    sftp SERVERIP
    

Edit this page

Related