https://wiki.archlinux.org/api.php?action=feedcontributions&user=Vgavro&feedformat=atomArchWiki - User contributions [en]2024-03-28T12:32:27ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=SFTP_chroot&diff=601837SFTP chroot2020-03-16T17:18:06Z<p>Vgavro: Explicitly explain that password assignment may be required even for key authentication</p>
<hr />
<div>[[Category:File Transfer Protocol]]<br />
[[Category:Secure Shell]]<br />
[[ja:SFTP chroot]]<br />
{{Related articles start}}<br />
{{Related|SSHFS}}<br />
{{Related articles end}}<br />
<br />
[[OpenSSH]] 4.9+ includes a built-in chroot for SFTP, but requires a few tweaks to the normal install.<br />
<br />
== Installation ==<br />
<br />
[[Install]] and configure [[OpenSSH]]. Once running, make sure {{ic|sftp-server}} has been set correctly:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
}}<br />
<br />
Access files with ''sftp'' or [[SSHFS]]. Many standard [[List_of_applications/Internet#FTP_clients|FTP clients]] should work as well.<br />
<br />
==Configuration==<br />
<br />
===Setup the filesystem===<br />
{{Note|<br />
* Readers may select a file access scheme on their own. For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space. This need not be done directly under {{ic<br />
|/srv/ssh/jail}} - it can be accomplished on the live partition which will be mounted via a bind mount as well.<br />
* It is also possible chrooting into {{ic|/home}} directory thus skipping the usage of bind, however the desired user home directory should be owned by root:<br />
# chown root:root /home/<username><br />
# chmod 0755 /home/<username><br />
}}<br />
<br />
Bind mount the live [[filesystem]] to be shared to this directory. In this example, {{ic|/mnt/data/share}} is to be used, owned by [[user]] {{ic|root}} and has octal [[permissions]] of {{ic|755}}:<br />
<br />
# chown root:root /mnt/data/share<br />
# chmod 755 /mnt/data/share<br />
# mkdir -p /srv/ssh/jail<br />
# mount -o bind /mnt/data/share /srv/ssh/jail<br />
<br />
Add entries to [[fstab]] to make the bind mount survive on a reboot:<br />
/mnt/data/share /srv/ssh/jail none bind 0 0<br />
<br />
=== Create an unprivileged user ===<br />
{{Note|You do not need to create a group, it is possible to use {{ic|Match User}} instead of {{ic|Match Group}}.}}<br />
<br />
Create the {{ic|sftponly}} [[user group]]:<br />
<br />
# groupadd sftponly <br />
<br />
Create a [[user]] that uses ''sftponly'' as main group and has [[shell]] login access denied:<br />
<br />
# useradd -g sftponly -s /usr/bin/nologin -d ''/srv/ssh/jail'' ''username''<br />
<br />
Set a (complex) password to prevent {{ic|account is locked}} error (may appear even with key authentication):<br />
<br />
# passwd ''username''<br />
<br />
=== Configure OpenSSH ===<br />
{{Note|You may want to use {{ic|Match User}} instead of {{ic|Match Group}} as been given in the previous step.}}<br />
<br />
{{hc|/etc/ssh/sshd_config|<nowiki><br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
<br />
Match Group sftponly<br />
ChrootDirectory %h<br />
ForceCommand internal-sftp<br />
AllowTcpForwarding no<br />
X11Forwarding no<br />
PasswordAuthentication no<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|sshd.service}} to confirm the changes.<br />
<br />
==== Fixing path for authorized_keys ====<br />
{{Tip|Use the [[SSH_keys#Key_ignored_by_the_server|debug mode]] of OpenSSH on the client and server in case of {{ic|(pre)auth}} error(s).}}<br />
With the standard path of ''AuthorizedKeysFile'', the [[SSH keys]] authentication will fail for chrooted-users. To fix this, [[append]] a root-owned directory on ''AuthorizedKeysFile'' to {{ic|/etc/openssh/sshd_config}} e.g. {{ic|/etc/ssh/authorized_keys}}, as example:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
AuthorizedKeysFile ''/etc/ssh/authorized_keys/%u'' .ssh/authorized_keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
}}<br />
<br />
Create ''authorized_keys'' folder, generate a [[SSH_keys#Choosing_the_key_location_and_passphrase|SSH-key]] on the client, [[SSH_keys#Manual_method|copy]] the contents of the key to {{ic|/etc/ssh/authorized_keys}} (or any other preferred method) of the server and [[SSH_keys#Key_ignored_by_the_server|set correct permissions]]:<br />
<br />
# mkdir /etc/ssh/authorized_keys<br />
# chown root:root /etc/ssh/authorized_keys<br />
# chmod 755 /etc/ssh/authorized_keys<br />
# echo 'ssh-rsa <key> <username@host>' >> ''/etc/ssh/authorized_keys/username''<br />
# chmod 644 /etc/ssh/authorized_keys/''username''<br />
<br />
[[Restart]] {{ic|sshd.service}}.<br />
<br />
==Tips and tricks==<br />
=== Write permissions ===<br />
The [[#Setup the filesystem|bind]] path needs to be fully owned by {{ic|root}}, however files and/or subdirectories don't have to be.<br />
In the following example the [[user]] ''www-demo'' uses {{ic|/srv/ssh/www/demo}} as the jail-directory:<br />
# mkdir /srv/ssh/www/demo/public_html<br />
# chown www-demo:sftponly /srv/ssh/www/demo/public_html<br />
# chmod 755 /srv/ssh/www/demo/public_html<br />
<br />
The user should now be able to create files/subdirectories inside this directory. See [[File permissions and attributes]] for more information.<br />
<br />
=== Logging ===<br />
<br />
The user will not be able to access {{ic|/dev/log}}. This can be seen by running {{ic|strace}} on the process once the user connects and attempts to download a file. <br />
<br />
==== Create sub directory ====<br />
Create the sub-directory {{ic|dev}} in the {{ic|ChrootDirectory}}, for example:<br />
# mkdir /usr/local/chroot/user/dev<br />
# chmod 755 /usr/local/chroot/user/dev<br />
<br />
Now you should create socket at {{ic|/usr/local/chroot/user/dev/log}} which will be used by openssh. You may directly bind this socket to {{ic|/dev/log}} (or {{ic|/run/systemd/journal/dev-log}} in case you're using journald) or create using {{ic|syslog-ng}}/{{ic|rsyslog}}.<br />
<br />
==== Bind to journald ====<br />
<br />
# touch /usr/local/chroot/user/dev/log<br />
# mount --bind /run/systemd/journal/dev-log /usr/local/chroot/user/dev/log<br />
<br />
==== Syslog-ng configuration ====<br />
Add to {{ic|/etc/syslog-ng/syslog-ng.conf}} a new source for the log and add the configuration, for example change the section:<br />
{{bc|<nowiki>source src {<br />
unix-dgram("/dev/log");<br />
internal();<br />
file("/proc/kmsg");<br />
};</nowiki><br />
}}<br />
<br />
to:<br />
{{bc|<nowiki>source src {<br />
unix-dgram("/dev/log");<br />
internal();<br />
file("/proc/kmsg");<br />
unix-dgram("/usr/local/chroot/theuser/dev/log");<br />
};</nowiki><br />
}}<br />
<br />
and append:<br />
{{bc|<nowiki>#sftp configuration<br />
destination sftp { file("/var/log/sftp.log"); };<br />
filter f_sftp { program("internal-sftp"); };<br />
log { source(src); filter(f_sftp); destination(sftp); };</nowiki><br />
}}<br />
<br />
(Optional) If you would like to similarly log SSH messages to its own file:<br />
<br />
{{bc|<nowiki>#sshd configuration<br />
destination ssh { file("/var/log/ssh.log"); };<br />
filter f_ssh { program("sshd"); };<br />
log { source(src); filter(f_ssh); destination(ssh); };</nowiki><br />
}}<br />
(From [[Syslog-ng#Move log to another file]])<br />
<br />
==== OpenSSH configuration ====<br />
<br />
Edit {{ic|/etc/ssh/sshd_config}} to replace all instances of {{ic|internal-sftp}} with {{ic|internal-sftp -f AUTH -l VERBOSE}}<br />
<br />
==== Restart service ====<br />
<br />
[[Restart]] service {{ic|syslog-ng}} and {{ic|sshd}}.<br />
<br />
{{ic|/usr/local/chroot/theuser/dev/log}} should now exist.<br />
<br />
== Alternatives to SFTP ==<br />
<br />
=== Secure copy protocol (SCP) ===<br />
Installing {{Pkg|openssh}} provides the ''scp'' command to transfer files. SCP may be faster than using SFTP [https://superuser.com/questions/134901/whats-the-difference-between-scp-and-sftp].<br />
<br />
[[Install]] {{Aur|rssh}} or {{Pkg|scponly}} as alternative shell solutions.<br />
<br />
==== Scponly ====<br />
<br />
[[install]] {{Pkg|scponly}}. <br />
<br />
For existing users, simply set the user's shell to scponly:<br />
<br />
# usermod -s /usr/bin/scponly ''username''<br />
<br />
See [https://github.com/scponly/scponly/wiki the Scponly Wiki] for more details.<br />
<br />
==== Adding a chroot jail ====<br />
<br />
The package comes with a script to create a chroot. To use it, run: <br />
<br />
# /usr/share/doc/scponly/setup_chroot.sh<br />
* Provide answers<br />
* Check that {{ic|/path/to/chroot}} has {{ic|root:root}} owner and {{ic|r-x}} for others<br />
* Change the shell for selected user to {{ic|/usr/bin/scponlyc}}<br />
* sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's {{ic|/lib}} path.<br />
<br />
== See also ==<br />
*[http://www.minstrel.org.uk/papers/sftp/ http://www.minstrel.org.uk/papers/sftp/builtin/]<br />
*[http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config]</div>Vgavrohttps://wiki.archlinux.org/index.php?title=SFTP_chroot&diff=601560SFTP chroot2020-03-15T16:17:27Z<p>Vgavro: added chroot journald logging as alternative to syslog-ng</p>
<hr />
<div>[[Category:File Transfer Protocol]]<br />
[[Category:Secure Shell]]<br />
[[ja:SFTP chroot]]<br />
{{Related articles start}}<br />
{{Related|SSHFS}}<br />
{{Related articles end}}<br />
<br />
[[OpenSSH]] 4.9+ includes a built-in chroot for SFTP, but requires a few tweaks to the normal install.<br />
<br />
== Installation ==<br />
<br />
[[Install]] and configure [[OpenSSH]]. Once running, make sure {{ic|sftp-server}} has been set correctly:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
}}<br />
<br />
Access files with ''sftp'' or [[SSHFS]]. Many standard [[List_of_applications/Internet#FTP_clients|FTP clients]] should work as well.<br />
<br />
==Configuration==<br />
<br />
===Setup the filesystem===<br />
{{Note|<br />
* Readers may select a file access scheme on their own. For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space. This need not be done directly under {{ic<br />
|/srv/ssh/jail}} - it can be accomplished on the live partition which will be mounted via a bind mount as well.<br />
* It is also possible chrooting into {{ic|/home}} directory thus skipping the usage of bind, however the desired user home directory should be owned by root:<br />
# chown root:root /home/<username><br />
# chmod 0755 /home/<username><br />
}}<br />
<br />
Bind mount the live [[filesystem]] to be shared to this directory. In this example, {{ic|/mnt/data/share}} is to be used, owned by [[user]] {{ic|root}} and has octal [[permissions]] of {{ic|755}}:<br />
<br />
# chown root:root /mnt/data/share<br />
# chmod 755 /mnt/data/share<br />
# mkdir -p /srv/ssh/jail<br />
# mount -o bind /mnt/data/share /srv/ssh/jail<br />
<br />
Add entries to [[fstab]] to make the bind mount survive on a reboot:<br />
/mnt/data/share /srv/ssh/jail none bind 0 0<br />
<br />
=== Create an unprivileged user ===<br />
{{Note|You do not need to create a group, it is possible to use {{ic|Match User}} instead of {{ic|Match Group}}.}}<br />
<br />
Create the {{ic|sftponly}} [[user group]]:<br />
<br />
# groupadd sftponly <br />
<br />
Create a [[user]] that uses ''sftponly'' as main group and has [[shell]] login access denied:<br />
<br />
# useradd -g sftponly -s /usr/bin/nologin -d ''/srv/ssh/jail'' ''username''<br />
<br />
For password authentication, set a (complex) password to prevent {{ic|account is locked}} error:<br />
<br />
# passwd ''username''<br />
<br />
=== Configure OpenSSH ===<br />
{{Note|You may want to use {{ic|Match User}} instead of {{ic|Match Group}} as been given in the previous step.}}<br />
<br />
{{hc|/etc/ssh/sshd_config|<nowiki><br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
<br />
Match Group sftponly<br />
ChrootDirectory %h<br />
ForceCommand internal-sftp<br />
AllowTcpForwarding no<br />
X11Forwarding no<br />
PasswordAuthentication no<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|sshd.service}} to confirm the changes.<br />
<br />
==== Fixing path for authorized_keys ====<br />
{{Tip|Use the [[SSH_keys#Key_ignored_by_the_server|debug mode]] of OpenSSH on the client and server in case of {{ic|(pre)auth}} error(s).}}<br />
With the standard path of ''AuthorizedKeysFile'', the [[SSH keys]] authentication will fail for chrooted-users. To fix this, [[append]] a root-owned directory on ''AuthorizedKeysFile'' to {{ic|/etc/openssh/sshd_config}} e.g. {{ic|/etc/ssh/authorized_keys}}, as example:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
AuthorizedKeysFile ''/etc/ssh/authorized_keys/%u'' .ssh/authorized_keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
}}<br />
<br />
Create ''authorized_keys'' folder, generate a [[SSH_keys#Choosing_the_key_location_and_passphrase|SSH-key]] on the client, [[SSH_keys#Manual_method|copy]] the contents of the key to {{ic|/etc/ssh/authorized_keys}} (or any other preferred method) of the server and [[SSH_keys#Key_ignored_by_the_server|set correct permissions]]:<br />
<br />
# mkdir /etc/ssh/authorized_keys<br />
# chown root:root /etc/ssh/authorized_keys<br />
# chmod 755 /etc/ssh/authorized_keys<br />
# echo 'ssh-rsa <key> <username@host>' >> ''/etc/ssh/authorized_keys/username''<br />
# chmod 644 /etc/ssh/authorized_keys/''username''<br />
<br />
[[Restart]] {{ic|sshd.service}}.<br />
<br />
==Tips and tricks==<br />
=== Write permissions ===<br />
The [[#Setup the filesystem|bind]] path needs to be fully owned by {{ic|root}}, however files and/or subdirectories don't have to be.<br />
In the following example the [[user]] ''www-demo'' uses {{ic|/srv/ssh/www/demo}} as the jail-directory:<br />
# mkdir /srv/ssh/www/demo/public_html<br />
# chown www-demo:sftponly /srv/ssh/www/demo/public_html<br />
# chmod 755 /srv/ssh/www/demo/public_html<br />
<br />
The user should now be able to create files/subdirectories inside this directory. See [[File permissions and attributes]] for more information.<br />
<br />
=== Logging ===<br />
<br />
The user will not be able to access {{ic|/dev/log}}. This can be seen by running {{ic|strace}} on the process once the user connects and attempts to download a file. <br />
<br />
==== Create sub directory ====<br />
Create the sub-directory {{ic|dev}} in the {{ic|ChrootDirectory}}, for example:<br />
# mkdir /usr/local/chroot/user/dev<br />
# chmod 755 /usr/local/chroot/user/dev<br />
<br />
Now you should create socket at {{ic|/usr/local/chroot/user/dev/log}} which will be used by openssh. You may directly bind this socket to {{ic|/dev/log}} (or {{ic|/run/systemd/journal/dev-log}} in case you're using journald) or create using {{ic|syslog-ng}}/{{ic|rsyslog}}.<br />
<br />
==== Bind to journald ====<br />
<br />
# touch /usr/local/chroot/user/dev/log<br />
# mount --bind /run/systemd/journal/dev-log /usr/local/chroot/user/dev/log<br />
<br />
==== Syslog-ng configuration ====<br />
Add to {{ic|/etc/syslog-ng/syslog-ng.conf}} a new source for the log and add the configuration, for example change the section:<br />
{{bc|<nowiki>source src {<br />
unix-dgram("/dev/log");<br />
internal();<br />
file("/proc/kmsg");<br />
};</nowiki><br />
}}<br />
<br />
to:<br />
{{bc|<nowiki>source src {<br />
unix-dgram("/dev/log");<br />
internal();<br />
file("/proc/kmsg");<br />
unix-dgram("/usr/local/chroot/theuser/dev/log");<br />
};</nowiki><br />
}}<br />
<br />
and append:<br />
{{bc|<nowiki>#sftp configuration<br />
destination sftp { file("/var/log/sftp.log"); };<br />
filter f_sftp { program("internal-sftp"); };<br />
log { source(src); filter(f_sftp); destination(sftp); };</nowiki><br />
}}<br />
<br />
(Optional) If you would like to similarly log SSH messages to its own file:<br />
<br />
{{bc|<nowiki>#sshd configuration<br />
destination ssh { file("/var/log/ssh.log"); };<br />
filter f_ssh { program("sshd"); };<br />
log { source(src); filter(f_ssh); destination(ssh); };</nowiki><br />
}}<br />
(From [[Syslog-ng#Move log to another file]])<br />
<br />
==== OpenSSH configuration ====<br />
<br />
Edit {{ic|/etc/ssh/sshd_config}} to replace all instances of {{ic|internal-sftp}} with {{ic|internal-sftp -f AUTH -l VERBOSE}}<br />
<br />
==== Restart service ====<br />
<br />
[[Restart]] service {{ic|syslog-ng}} and {{ic|sshd}}.<br />
<br />
{{ic|/usr/local/chroot/theuser/dev/log}} should now exist.<br />
<br />
== Alternatives to SFTP ==<br />
<br />
=== Secure copy protocol (SCP) ===<br />
Installing {{Pkg|openssh}} provides the ''scp'' command to transfer files. SCP may be faster than using SFTP [https://superuser.com/questions/134901/whats-the-difference-between-scp-and-sftp].<br />
<br />
[[Install]] {{Aur|rssh}} or {{Pkg|scponly}} as alternative shell solutions.<br />
<br />
==== Scponly ====<br />
<br />
[[install]] {{Pkg|scponly}}. <br />
<br />
For existing users, simply set the user's shell to scponly:<br />
<br />
# usermod -s /usr/bin/scponly ''username''<br />
<br />
See [https://github.com/scponly/scponly/wiki the Scponly Wiki] for more details.<br />
<br />
==== Adding a chroot jail ====<br />
<br />
The package comes with a script to create a chroot. To use it, run: <br />
<br />
# /usr/share/doc/scponly/setup_chroot.sh<br />
* Provide answers<br />
* Check that {{ic|/path/to/chroot}} has {{ic|root:root}} owner and {{ic|r-x}} for others<br />
* Change the shell for selected user to {{ic|/usr/bin/scponlyc}}<br />
* sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's {{ic|/lib}} path.<br />
<br />
== See also ==<br />
*[http://www.minstrel.org.uk/papers/sftp/ http://www.minstrel.org.uk/papers/sftp/builtin/]<br />
*[http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config]</div>Vgavrohttps://wiki.archlinux.org/index.php?title=Talk:SFTP_chroot&diff=601552Talk:SFTP chroot2020-03-15T16:01:31Z<p>Vgavro: /* Logging from chroot to journald (made even more simpler, as mount --bind can directly mount files (bindfs can't) ) */</p>
<hr />
<div>I added a note to the bottom about ownership/permissions issues sshd can give you when you're setting it to chroot. I followed this guide and ran into a problem where no matter what I seemed to do sshd would keep rejecting sftp connections. Turns out it won't allow you to chroot to directories that don't have what it considers secure permissions.<br />
<br />
This is my first edit on this wiki btw. [[User:MaBeef|MaBeef]] 05:31, 18 December 2009 (EST)<br />
<br />
: This is also my first blurb. I was also having problems logging in to sftp/chroot with an ssh key. Using OpenSSH_5.3p1 I tried a few things and finally got a configuration to work. In {{ic|sshd_config}}, I set:<br />
<br />
{{bc|AuthorizedKeysFile /etc/ssh/authorized_keys/%u<br />
Subsystem sftp internal-sftp<br />
Match Group ftponly<br />
ChrootDirectory /home/%u<br />
ForceCommand internal-sftp<br />
PubkeyAuthentication yes<br />
AllowTCPForwarding no<br />
X11Forwarding no}}<br />
<br />
: Then for the IDs I wanted to give ssh key trust to, in this example {{ic|fbestert}}, created the directory specified in the {{ic|ChrootDirectory}} entry in {{ic|sshd_config}}. It said {{ic|ChrootDirectory /home/%u}} so put it in {{ic|/home/fbestert}}. This directory looks like:<br />
{{bc|drwxr-x---. 5 root ftponly 4096 Jan 21 17:09 fbestert}}<br />
: THIS IS NOT fbestert's HOME DIRECTORY IN {{ic|/etc/password}}! The passwd file entry looks like this:<br />
{{bc|fbestert:x:9999:400:Fester Bestertester:/etc/ssh/authorized_keys/fbestert:/bin/false}}<br />
: where {{ic|400}} is the GID for {{ic|ftponly}}, the group specified in sshd_config's {{ic|Match Group}} value. This "home" directory looks like this:<br />
{{bc|"drwx------ 3 fbestert ftponly 4096 Jan 21 17:05 /etc/ssh/authorized_keys/fbestert"}}<br />
: and it has the normal .ssh subdirectory underneath it with the {{ic|authorized_keys}} file which contains the ssh public keys, as usual. {{Unsigned| 22:08, 22 January 2015|Fbester}}<br />
<br />
Note that you can also use keyword '''AuthorizedKeysFile''' inside '''Match''' block. [[User:Otila|Otila]] ([[User talk:Otila|talk]]) 22:45, 23 February 2015 (UTC)<br />
<br />
== Logging from chroot to journald ==<br />
<br />
# mkdir /jail/dev<br />
# touch /jail/dev/log<br />
# mount --bind /run/systemd/journal/dev-log /jail/dev/log<br />
<br />
testing<br />
# logger TEST --socket /jail/dev/log</div>Vgavrohttps://wiki.archlinux.org/index.php?title=Talk:SFTP_chroot&diff=601405Talk:SFTP chroot2020-03-15T04:50:43Z<p>Vgavro: /* Logging from chroot to journald */ new section</p>
<hr />
<div>I added a note to the bottom about ownership/permissions issues sshd can give you when you're setting it to chroot. I followed this guide and ran into a problem where no matter what I seemed to do sshd would keep rejecting sftp connections. Turns out it won't allow you to chroot to directories that don't have what it considers secure permissions.<br />
<br />
This is my first edit on this wiki btw. [[User:MaBeef|MaBeef]] 05:31, 18 December 2009 (EST)<br />
<br />
: This is also my first blurb. I was also having problems logging in to sftp/chroot with an ssh key. Using OpenSSH_5.3p1 I tried a few things and finally got a configuration to work. In {{ic|sshd_config}}, I set:<br />
<br />
{{bc|AuthorizedKeysFile /etc/ssh/authorized_keys/%u<br />
Subsystem sftp internal-sftp<br />
Match Group ftponly<br />
ChrootDirectory /home/%u<br />
ForceCommand internal-sftp<br />
PubkeyAuthentication yes<br />
AllowTCPForwarding no<br />
X11Forwarding no}}<br />
<br />
: Then for the IDs I wanted to give ssh key trust to, in this example {{ic|fbestert}}, created the directory specified in the {{ic|ChrootDirectory}} entry in {{ic|sshd_config}}. It said {{ic|ChrootDirectory /home/%u}} so put it in {{ic|/home/fbestert}}. This directory looks like:<br />
{{bc|drwxr-x---. 5 root ftponly 4096 Jan 21 17:09 fbestert}}<br />
: THIS IS NOT fbestert's HOME DIRECTORY IN {{ic|/etc/password}}! The passwd file entry looks like this:<br />
{{bc|fbestert:x:9999:400:Fester Bestertester:/etc/ssh/authorized_keys/fbestert:/bin/false}}<br />
: where {{ic|400}} is the GID for {{ic|ftponly}}, the group specified in sshd_config's {{ic|Match Group}} value. This "home" directory looks like this:<br />
{{bc|"drwx------ 3 fbestert ftponly 4096 Jan 21 17:05 /etc/ssh/authorized_keys/fbestert"}}<br />
: and it has the normal .ssh subdirectory underneath it with the {{ic|authorized_keys}} file which contains the ssh public keys, as usual. {{Unsigned| 22:08, 22 January 2015|Fbester}}<br />
<br />
Note that you can also use keyword '''AuthorizedKeysFile''' inside '''Match''' block. [[User:Otila|Otila]] ([[User talk:Otila|talk]]) 22:45, 23 February 2015 (UTC)<br />
<br />
== Logging from chroot to journald ==<br />
<br />
Easiest way, but maybe not very secure is:<br />
# mkdir -p /jail/run/systemd/journal /jail/dev<br />
# mount --bind /run/systemd/journal /jail/run/systemd/journal<br />
# ln -s /run/systemd/journal /jail/dev/log<br />
<br />
As alternative I tried to make journald to listen on /jail/dev/log socket, but journald is started before local-fs.target, so I believe that was the reason I failed.<br />
Anyway, I believe you can achieve it by mounting socket to separate directory in run, and do `mount --bind` later. To make journald listen to one more socket:<br />
<br />
# cp /lib/systemd/system/systemd-journald-dev-log.socket /etc/systemd/system/systemd-journald-chroot-dev-log.socket<br />
<br />
## Remove Symlinks=, change ListenDatagram= path<br />
# vim /etc/systemd/system/systemd-journald-chroot-dev-log.socket<br />
<br />
## Add new .socket file to After= and Sockets=<br />
# vim /lib/systemd/system/systemd-journald.service</div>Vgavrohttps://wiki.archlinux.org/index.php?title=SFTP_chroot&diff=601395SFTP chroot2020-03-15T01:58:43Z<p>Vgavro: It's not obvious by instructions that creating password isn't required</p>
<hr />
<div>[[Category:File Transfer Protocol]]<br />
[[Category:Secure Shell]]<br />
[[ja:SFTP chroot]]<br />
{{Related articles start}}<br />
{{Related|SSHFS}}<br />
{{Related articles end}}<br />
<br />
[[OpenSSH]] 4.9+ includes a built-in chroot for SFTP, but requires a few tweaks to the normal install.<br />
<br />
== Installation ==<br />
<br />
[[Install]] and configure [[OpenSSH]]. Once running, make sure {{ic|sftp-server}} has been set correctly:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
}}<br />
<br />
Access files with ''sftp'' or [[SSHFS]]. Many standard [[List_of_applications/Internet#FTP_clients|FTP clients]] should work as well.<br />
<br />
==Configuration==<br />
<br />
===Setup the filesystem===<br />
{{Note|<br />
* Readers may select a file access scheme on their own. For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space. This need not be done directly under {{ic<br />
|/srv/ssh/jail}} - it can be accomplished on the live partition which will be mounted via a bind mount as well.<br />
* It is also possible chrooting into {{ic|/home}} directory thus skipping the usage of bind, however the desired user home directory should be owned by root:<br />
# chown root:root /home/<username><br />
# chmod 0755 /home/<username><br />
}}<br />
<br />
Bind mount the live [[filesystem]] to be shared to this directory. In this example, {{ic|/mnt/data/share}} is to be used, owned by [[user]] {{ic|root}} and has octal [[permissions]] of {{ic|755}}:<br />
<br />
# chown root:root /mnt/data/share<br />
# chmod 755 /mnt/data/share<br />
# mkdir -p /srv/ssh/jail<br />
# mount -o bind /mnt/data/share /srv/ssh/jail<br />
<br />
Add entries to [[fstab]] to make the bind mount survive on a reboot:<br />
/mnt/data/share /srv/ssh/jail none bind 0 0<br />
<br />
=== Create an unprivileged user ===<br />
{{Note|You do not need to create a group, it is possible to use {{ic|Match User}} instead of {{ic|Match Group}}.}}<br />
<br />
Create the {{ic|sftponly}} [[user group]]:<br />
<br />
# groupadd sftponly <br />
<br />
Create a [[user]] that uses ''sftponly'' as main group and has [[shell]] login access denied:<br />
<br />
# useradd -g sftponly -s /usr/bin/nologin -d ''/srv/ssh/jail'' ''username''<br />
<br />
For password authentication, set a (complex) password to prevent {{ic|account is locked}} error:<br />
<br />
# passwd ''username''<br />
<br />
=== Configure OpenSSH ===<br />
{{Note|You may want to use {{ic|Match User}} instead of {{ic|Match Group}} as been given in the previous step.}}<br />
<br />
{{hc|/etc/ssh/sshd_config|<nowiki><br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
<br />
Match Group sftponly<br />
ChrootDirectory %h<br />
ForceCommand internal-sftp<br />
AllowTcpForwarding no<br />
X11Forwarding no<br />
PasswordAuthentication no<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|sshd.service}} to confirm the changes.<br />
<br />
==== Fixing path for authorized_keys ====<br />
{{Tip|Use the [[SSH_keys#Key_ignored_by_the_server|debug mode]] of OpenSSH on the client and server in case of {{ic|(pre)auth}} error(s).}}<br />
With the standard path of ''AuthorizedKeysFile'', the [[SSH keys]] authentication will fail for chrooted-users. To fix this, [[append]] a root-owned directory on ''AuthorizedKeysFile'' to {{ic|/etc/openssh/sshd_config}} e.g. {{ic|/etc/ssh/authorized_keys}}, as example:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
AuthorizedKeysFile ''/etc/ssh/authorized_keys/%u'' .ssh/authorized_keys<br />
PermitRootLogin no<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
Subsystem sftp /usr/lib/ssh/sftp-server<br />
}}<br />
<br />
Create ''authorized_keys'' folder, generate a [[SSH_keys#Choosing_the_key_location_and_passphrase|SSH-key]] on the client, [[SSH_keys#Manual_method|copy]] the contents of the key to {{ic|/etc/ssh/authorized_keys}} (or any other preferred method) of the server and [[SSH_keys#Key_ignored_by_the_server|set correct permissions]]:<br />
<br />
# mkdir /etc/ssh/authorized_keys<br />
# chown root:root /etc/ssh/authorized_keys<br />
# chmod 755 /etc/ssh/authorized_keys<br />
# echo 'ssh-rsa <key> <username@host>' >> ''/etc/ssh/authorized_keys/username''<br />
# chmod 644 /etc/ssh/authorized_keys/''username''<br />
<br />
[[Restart]] {{ic|sshd.service}}.<br />
<br />
==Tips and tricks==<br />
=== Write permissions ===<br />
The [[#Setup the filesystem|bind]] path needs to be fully owned by {{ic|root}}, however files and/or subdirectories don't have to be.<br />
In the following example the [[user]] ''www-demo'' uses {{ic|/srv/ssh/www/demo}} as the jail-directory:<br />
# mkdir /srv/ssh/www/demo/public_html<br />
# chown www-demo:sftponly /srv/ssh/www/demo/public_html<br />
# chmod 755 /srv/ssh/www/demo/public_html<br />
<br />
The user should now be able to create files/subdirectories inside this directory. See [[File permissions and attributes]] for more information.<br />
<br />
=== Logging ===<br />
{{Accuracy|Is this possible with systemd-journal? Are there no security concerns?}}<br />
<br />
The user will not be able to access {{ic|/dev/log}}. This can be seen by running {{ic|strace}} on the process once the user connects and attempts to download a file. <br />
<br />
==== Create sub directory ====<br />
Create the sub-directory {{ic|dev}} in the {{ic|ChrootDirectory}}, for example:<br />
# mkdir /usr/local/chroot/user/dev<br />
# chmod 755 /usr/local/chroot/user/dev<br />
<br />
{{ic|syslog-ng}} will create the device {{ic|/usr/local/chroot/theuser/dev/log}} once configured.<br />
<br />
==== Syslog-ng configuration ====<br />
Add to {{ic|/etc/syslog-ng/syslog-ng.conf}} a new source for the log and add the configuration, for example change the section:<br />
{{bc|<nowiki>source src {<br />
unix-dgram("/dev/log");<br />
internal();<br />
file("/proc/kmsg");<br />
};</nowiki><br />
}}<br />
<br />
to:<br />
{{bc|<nowiki>source src {<br />
unix-dgram("/dev/log");<br />
internal();<br />
file("/proc/kmsg");<br />
unix-dgram("/usr/local/chroot/theuser/dev/log");<br />
};</nowiki><br />
}}<br />
<br />
and append:<br />
{{bc|<nowiki>#sftp configuration<br />
destination sftp { file("/var/log/sftp.log"); };<br />
filter f_sftp { program("internal-sftp"); };<br />
log { source(src); filter(f_sftp); destination(sftp); };</nowiki><br />
}}<br />
<br />
(Optional) If you would like to similarly log SSH messages to its own file:<br />
<br />
{{bc|<nowiki>#sshd configuration<br />
destination ssh { file("/var/log/ssh.log"); };<br />
filter f_ssh { program("sshd"); };<br />
log { source(src); filter(f_ssh); destination(ssh); };</nowiki><br />
}}<br />
(From [[Syslog-ng#Move log to another file]])<br />
<br />
==== OpenSSH configuration ====<br />
<br />
Edit {{ic|/etc/ssh/sshd_config}} to replace all instances of {{ic|internal-sftp}} with {{ic|internal-sftp -f AUTH -l VERBOSE}}<br />
<br />
==== Restart service ====<br />
<br />
[[Restart]] service {{ic|syslog-ng}} and {{ic|sshd}}.<br />
<br />
{{ic|/usr/local/chroot/theuser/dev/log}} should now exist.<br />
<br />
== Alternatives to SFTP ==<br />
<br />
=== Secure copy protocol (SCP) ===<br />
Installing {{Pkg|openssh}} provides the ''scp'' command to transfer files. SCP may be faster than using SFTP [https://superuser.com/questions/134901/whats-the-difference-between-scp-and-sftp].<br />
<br />
[[Install]] {{Aur|rssh}} or {{Pkg|scponly}} as alternative shell solutions.<br />
<br />
==== Scponly ====<br />
<br />
[[install]] {{Pkg|scponly}}. <br />
<br />
For existing users, simply set the user's shell to scponly:<br />
<br />
# usermod -s /usr/bin/scponly ''username''<br />
<br />
See [https://github.com/scponly/scponly/wiki the Scponly Wiki] for more details.<br />
<br />
==== Adding a chroot jail ====<br />
<br />
The package comes with a script to create a chroot. To use it, run: <br />
<br />
# /usr/share/doc/scponly/setup_chroot.sh<br />
* Provide answers<br />
* Check that {{ic|/path/to/chroot}} has {{ic|root:root}} owner and {{ic|r-x}} for others<br />
* Change the shell for selected user to {{ic|/usr/bin/scponlyc}}<br />
* sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's {{ic|/lib}} path.<br />
<br />
== See also ==<br />
*[http://www.minstrel.org.uk/papers/sftp/ http://www.minstrel.org.uk/papers/sftp/builtin/]<br />
*[http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config]</div>Vgavro