Configure Sftp with User Jails

So, at your organization there is a high likelihood that you will need to create an FTP server to allow your customers and vendors to send you files.  While having an ftp server is useful and all, the old standard ftp server probably isn’t where you want to be going these days.

The issue is that the old ftp was great on transferring files, but really poor in the security department.  My biggest issue is that all text is sent across the wire in plain text, so if somebody is watching your traffic, they can get your username and password quite easily.

Even better is to create a micro-environment where the user can login, see only his/her directory and be kept to that directory only.  Building this micro-environment for your sftp users is calling “jailing your users”.

In this article, I hope to make it easy for you to Configure Sftp with User Jails where users are locked down into their own user’s micro-environment, building a very secure server for file transfer for your customers, partners, employees, etc…  These steps were taken on a CentOS 6 box:

First, Create the Sftp User

Obviously, you have to have a userid add password to give to those who will be accessing your server via sftp.  In my case, the username will be “jimmer” and I will be creating a home directory for the jimmer user in the /home/jimmer directory:

$ sudo /usr/sbin/useradd -d /home/jimmer jimmer

Make a Difficult Password

What would the point be in making a nice secure sftp environment if the password was simple to guess?  I suggest upper and lower and numbers, with at least 8 characters.

$ sudo /usr/bin/passwd jimmer

Set Some Permissions

We need to be sure to limit their permissions. Here we will even limit their permissions on the userid’s home directory:

$ sudo chown root:root /home/jimmer
$ chown -R root:root /home/jimmer
$ sudo chmod 755 /home/jimmer


Create a Directory Into Which Files Can be Uploaded

We need to create a directory that they can change into and upload or retrieve their files.  Let’s give them ownership of this directory.

$ sudo mkdir /home/jimmer/incoming
$ sudo chown jimmer:jimmer /home/jimmer/incoming

Edit the /etc/ssh/sshd_config file and Add

This is the part that “jails” the user into their own directory so that they cannot change directories elsewhere and explore the system.  It is important for this section to be at the very bottom of the /etc/ssh/sshd_config file.  If it isn’t at the bottom, things won’t work quite right.

Match User jimmer
ChrootDirectory /home/jimmer
ForceCommand internal-sftp
AllowTcpForwarding no

Restart Sshd

For our changes in the /etc/ssh/sshd_config file to take effect, we need to restart the sshd service.

sudo /sbin/service sshd restart


Test It All Out

Now Test Out Your New Sftp Server to be sure that it works!  We will use the sftp client on my CentOS server for this.  You can use any client that support sftp such as filezilla, cyberduck, etc…

First, let’s create a file that we can send to the sftp server.

$ echo "test jimmer file" > myfile

Now, let’s login to the sftp server:

$ sftp jimmer@ftp.uptimemadeeasy.com
+---------------------------------------------------------------+
|                                                               |
| WARNING!!! THIS SYSTEM IS MONITORED!                          |
|                                                               |
| Unauthorized access to this system is prohibited. If you      |
| have not been authorized for access by system administrators  |
| disconnect now. Unauthorized access can lead to prosecution   |
| and other disciplinary action.                                |
+---------------------------------------------------------------+
jimmer@ftp.uptimemadeeasy.com's password:
Connected to ftp.uptimemadeeasy.com.

Let’s look around a bit and change into the incoming directory that we created:

sftp> ls
incoming
sftp> cd incoming

Ok. Now, let’s upload our file:

sftp> put myfile
Uploading myfile to /incoming/myfile
myfile                                      100%   17     0.0KB/s   00:00

Now, let’s disconnect from the sftp server:

sftp> bye

Let’s look at some common errors and fixes for those errors:

Restarting Sshd Fails With “Directive AllowUsers is not Allowed Within a Match Block”

# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 147: Directive 'AllowUsers' is not allowed within a Match block
[FAILED]

This error comes when the Match User section that we specified above is not the last item in the /etc/ssh/sshd_config file.  I need to edit the file and put the other code and directives higher in the sshd_config file above the Match User directive section.  Then we restart sshd.

The following two tabs change content below.
Jeff has 20 years of professional IT experience, having done nearly everything in his roles of IT consultant, Systems Integrator, Systems Engineer, CNOC Engineer, Systems Administrator, Network Systems Administrator, and IT Director. If there is one thing he knows for sure, it is that there is always a simple answer to every IT problem and that downtime begins with complexity. Seasoned IT professional by day, Jeff hopes to help other IT professionals by blogging about his experiences at night on his blog: http://uptimemadeeasy.com. You can find Jeff on or LinkedIn at: LinkedIn or Twitter at: Twitter

Latest posts by Jeff Staten (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *