So, at your organization there is a high likelihood that you will need to create an FTP server to allow your customers and vendors to send you files. While having an ftp server is useful and all, the old standard ftp server probably isn’t where you want to be going these days.
The issue is that the old ftp was great on transferring files, but really poor in the security department. My biggest issue is that all text is sent across the wire in plain text, so if somebody is watching your traffic, they can get your username and password quite easily.
Even better is to create a micro-environment where the user can login, see only his/her directory and be kept to that directory only. Building this micro-environment for your sftp users is calling “jailing your users”.
In this article, I hope to make it easy for you to Configure Sftp with User Jails where users are locked down into their own user’s micro-environment, building a very secure server for file transfer for your customers, partners, employees, etc… These steps were taken on a CentOS 6 box:
First, Create the Sftp User
Obviously, you have to have a userid add password to give to those who will be accessing your server via sftp. In my case, the username will be “jimmer” and I will be creating a home directory for the jimmer user in the /home/jimmer directory:
$ sudo /usr/sbin/useradd -d /home/jimmer jimmer
Make a Difficult Password
What would the point be in making a nice secure sftp environment if the password was simple to guess? I suggest upper and lower and numbers, with at least 8 characters.
$ sudo /usr/bin/passwd jimmer
Set Some Permissions
We need to be sure to limit their permissions. Here we will even limit their permissions on the userid’s home directory:
$ sudo chown root:root /home/jimmer $ chown -R root:root /home/jimmer $ sudo chmod 755 /home/jimmer
Create a Directory Into Which Files Can be Uploaded
We need to create a directory that they can change into and upload or retrieve their files. Let’s give them ownership of this directory.
$ sudo mkdir /home/jimmer/incoming $ sudo chown jimmer:jimmer /home/jimmer/incoming
Edit the /etc/ssh/sshd_config file and Add
This is the part that “jails” the user into their own directory so that they cannot change directories elsewhere and explore the system. It is important for this section to be at the very bottom of the /etc/ssh/sshd_config file. If it isn’t at the bottom, things won’t work quite right.
Match User jimmer ChrootDirectory /home/jimmer ForceCommand internal-sftp AllowTcpForwarding no
For our changes in the /etc/ssh/sshd_config file to take effect, we need to restart the sshd service.
sudo /sbin/service sshd restart
Test It All Out
Now Test Out Your New Sftp Server to be sure that it works! We will use the sftp client on my CentOS server for this. You can use any client that support sftp such as filezilla, cyberduck, etc…
First, let’s create a file that we can send to the sftp server.
$ echo "test jimmer file" > myfile
Now, let’s login to the sftp server:
$ sftp email@example.com +---------------------------------------------------------------+ | | | WARNING!!! THIS SYSTEM IS MONITORED! | | | | Unauthorized access to this system is prohibited. If you | | have not been authorized for access by system administrators | | disconnect now. Unauthorized access can lead to prosecution | | and other disciplinary action. | +---------------------------------------------------------------+ firstname.lastname@example.org's password: Connected to ftp.uptimemadeeasy.com.
Let’s look around a bit and change into the incoming directory that we created:
sftp> ls incoming sftp> cd incoming
Ok. Now, let’s upload our file:
sftp> put myfile Uploading myfile to /incoming/myfile myfile 100% 17 0.0KB/s 00:00
Now, let’s disconnect from the sftp server:
Let’s look at some common errors and fixes for those errors:
Restarting Sshd Fails With “Directive AllowUsers is not Allowed Within a Match Block”
# service sshd restart Stopping sshd: [ OK ] Starting sshd: /etc/ssh/sshd_config line 147: Directive 'AllowUsers' is not allowed within a Match block [FAILED]
This error comes when the Match User section that we specified above is not the last item in the /etc/ssh/sshd_config file. I need to edit the file and put the other code and directives higher in the sshd_config file above the Match User directive section. Then we restart sshd.