Main Contents

Easy Centos SFTP Chroot User Jail

June 14, 2010

I had to set up a SFTP site for a customer which required a true chroot user jail - each user would go directly to their own home directory. Other requirements included: Users could not see other users folders, Authentication via Active Directory, and no SSH or other access.
After much research and trial-and-error, I figured out that OpenSSH simply would not work. The reason is OpenSSH, while it offers a ChrootDirectory option, has a very annoying limitation. From the man pages: “This path, and all its components, must be root-owned directories that are not writable by any other user or group.” So tell me, how do you chroot a user to their home directory if their home directory must be owned by root and not writable to the users? You can’t. You can jail the user to /home/ but then the user can see other users directories, even if they can’t access them. When trying to keep users, or clients, from seeing the names of other clients, that’s not an option.
(On a side note, I was able to get it mostly working if in the /etc/samba/smb.conf file I had this line:

template homedir = /home/%U/%U

which would create a home directory like this:

/home/joeblow/joeblow

and in /etc/ssh/sshd_config set this:

ChrootDirectory /home/%u

This would meet the security requirements, but would cause an annoyance to users since they would have to descend into a subdirectory to upload files.)
rssh is another option some people use instead of openssh, but it has the exact same limitation, in addition of requiring you to copy a bunch of system files to the chroot directory.
Then I discovered the ProFTPD Project. The current version has a module called mod_sftp, which provides sftp access. So I changed my openssh port to something other than 22, installed proftpd (actually, I had to build and install it, since I couldn’t find a current version rpm for CentOS that includes sftp support), and it worked beautifully. There are some steps I had to do to get it working smoothly with Active Directory, but once configured, now all my customer has to do is create a new Active Directory account - nothing else at all. Once done, the user can log on and go directly to their home directory, which even gets automatically created. Below are the settings and configuration files.

First, (optional, only if you want AD authentication) build CentOS 5.5 with a working Samba and Winbind configuration (see my other post CentOS 5.2 and Winbind). Verify that AD users can log in via SSH and their home directory gets created automatically.

Change the OpenSSH port:

#/etc/ssh/sshd_config
#Port 22
Port 222  #Something other than 22

ProFTPD 1.3.3rc4 build configuration options:

./configure --prefix=/usr --sysconfdir=/etc --with-modules=mod_sftp

You may need to edit /etc/pam.d/samba:

#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
password   include      system-auth
#/etc/proftpd.conf
ServerName                      "My SFTP Server"
ServerType                      standalone
DefaultServer                   on
IdentLookups                    off
Port                            22
UseIPv6                         off
Umask                          022
MaxInstances                    30
User                            nobody
Group                           nobody
DefaultRoot ~
AllowOverwrite          on
<Limit SITE_CHMOD>
  DenyAll
</Limit>

#SFTP Support
SFTPEngine      On
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 4
SFTPOptions IgnoreSFTPUploadPerms

#Winbind support
PersistentPasswd   off
AuthPAMConfig samba
#If the above line does not work, try this instead, but will not auto-create home dirs:
#AuthPAMConfig proftp
AuthPAM on
AuthOrder mod_auth_pam.c* mod_auth_unix.c

NOTE: If you also want to enable FTP, Explicit SSL-FTP, and Implicit SSL-FTP on the same server, I have another config you can use here.
Create the proftpd init script (below) in /etc/init.d and chmod +x

#!/bin/sh
# $Id: proftpd.init,v 1.1 2004/02/26 17:54:30 thias Exp $
#
# proftpd        This shell script takes care of starting and stopping
#                proftpd.
#
# chkconfig: - 80 30
# description: ProFTPD is an enhanced FTP server with a focus towards \
#              simplicity, security, and ease of configuration. \
#              It features a very Apache-like configuration syntax, \
#              and a highly customizable server infrastructure, \
#              including support for multiple 'virtual' FTP servers, \
#              anonymous FTP, and permission-based directory visibility.
# processname: proftpd
# config: /etc/proftp.conf
# pidfile: /var/run/proftpd.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /usr/sbin/proftpd ] || exit 0

RETVAL=0

prog="proftpd"

start() {
        echo -n $"Starting $prog: "
        daemon proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/proftpd
}

stop() {
        echo -n $"Shutting down $prog: "
        killproc proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/proftpd
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status proftpd
        RETVAL=$?
        ;;
  restart)
        stop
        start
        ;;
  condrestart)
        if [ -f /var/lock/subsys/proftpd ]; then
          stop
          start
        fi
        ;;
  reload)
        echo -n $"Re-reading $prog configuration: "
        killproc proftpd -HUP
        RETVAL=$?
        echo
        ;;
  *)
        echo "Usage: $prog {start|stop|restart|reload|condrestart|status}"
        exit 1
esac

exit $RETVAL

Rotate the logs

#/etc/logrotate.d/proftp
/var/log/proftp {
    missingok
    notifempty
    daily
    rotate 7
}

Filed under: Linux |

Sorry, the comment form is closed at this time.