March 2012
« Feb   Apr »

Linux : Configuring secure sftp server

As we all know, most system users can have sftp access to Linux box by default along with ssh access. So that we can transfer the files securely over it.

But the real headache of this system is, all the users can access any of system files and also has shell access to the server which will open a door to a authorized stranger to know about the server roles and can grab the imp. files he wants.

Drawback : What I found is sftp system doesn’t have any log facility ie no record if any file transactions which done over it. So that we can’t trace out what are happening once the sftp session started. Also most of the latest

    Redhat/CentOS OS still using the older openssh version which doesn’t support chroot ssh setup.
 -sh-3.2# ssh -version
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Bad escape character 'rsion'.
-sh-3.2# cat /etc/redhat-release
CentOS release 5.5 (Final)

What I’m planning to do is,

1. Install a new openssh server and run it over on a new port for only sftp access
2. Set a chroot restriction to all users.
3. It won’t harm any production servers.

1. Installing openssh package

1. Download openssh package from

[root@web01 ~]#cd /home/installation/
[root@web01 ~]#wget
[root@web01 ~]#tar -zxvf openssh-5.9p1.tar.gz
[root@web01 ~]cd openssh-5.9p1
[root@web01 ~]./configure --prefix=/var/opt/openssh
[root@web01 ~]make
[root@web01 ~]make install
[root@web01 ~] ln -s /var/opt/openssh/sbin/sshd /usr/sbin/sftpserver

Now all the openssh files are copied under “/var/opt/openssh” folder. Next we need to create a startup script for as a service.

[root@fc-web01 ~]# vi /etc/init.d/opensshd
Which having the following lines,

# chkconfig: 35 60 25
# description: OpenSSH chrooted sftp only daemon
# Note that /usr/sbin/sftpfoo is simply a symlink to /usr/sbin/sshd
case "${1}" in
start  ) exec -a /usr/sbin/sftpserver /var/opt/openssh/sbin/sshd -f /var/opt/openssh/etc/sshd_config
stop   ) kill -9 $(cat ${pidfile})
restart) stop
         sleep 3
*      ) echo "Usage: ${0} (start|stop|restart)"

exit 0

2. Modifying SSH config file

You may need to add the following line at the bottom of ‘ /var/opt/openssh/etc/sshd_config” file

PidFile /var/run/
Subsystem     sftp   internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Note: You must have define new ssh port in this file (Eg. Port 22222 ) you may need to delete/comment the line start with “#Subsystem sftp /var/opt/openssh/libexec/sftp-server

3. User configuration

[root@web01 ~]#groupadd sftp ;Creating sftp group
[root@web01 ~]#mkdir -p /home/chroot/home ;creating  chroot jailed home directory
    Adding users with disabled shell access
 [root@web01 ~]#useradd -G sftp  -s /bin/false -d /home/chroot/home/sftpuser1 sftpuser1
[root@web01 ~]#chown root:root /home/chroot/home/sftpuser1
[root@web01 ~]#chmod -R 0755 /home/chroot/home/sftpuser1
[root@web01 ~]#rm -rf  /home/chroot/home/sftpuser1/*
[root@web01 ~]#mkdir -p  /home/chroot/home/sftpuser1/upload
[root@web01 ~]#mkdir -p  /home/chroot/home/sftpuser1/download
[root@web01 ~]#mkdir -p  /home/chroot/home/sftpuser1/public_html
[root@web01 ~]#chown -R sftpuser1 /home/chroot/home/sftpuser1/upload /home/chroot/home/sftpuser1/download /home/chroot/home/sftpuser1/public-html
[root@web01 ~]#passwd sftpuser1

So user has full permissions only on these three folders.

The above commands created the ‘sftuser1‘ user which is a member of ‘sftp” group. Also root user is take the ownership of users home directory. So that users can’t create/execute any command against on his home directory but can create any new files in it. My requirement is to provide sftp space to a use who can upload and download files to a server securely.

Let’s start new ssh server.

[root@fc-db01 ~]# sh  /etc/init.d/opensshd  start

To verify it’s running,

[root@fc-db01 ~]# netstat -nlp | grep ":22222"
tcp        0      0     *                   LISTEN      24243/sftpserver
tcp        0      0 :::22222                    :::*                        LISTEN      24243/sftpserver
[root@fc-db01 ~]#

That’s it –> :-). Start sharing secure ftp space. You also need to open the port 22222 which may require to update the your firewall/network rules.

There is one imp. fix you will have to do.
You need to add a line “DenyUsers sftpuser1” on your primary ssh server config file (/etc/ssh/sshd_config) which is running on the default port (22) and then restart the sshd service as well.

NB: I see that you can access this ftp through Filezilla easily but Global scape FTP won’t support to connect it.

Sftp user creation bash script

Here is the script which will create sftp users easily. It’s usage will be

#sh username

# Shell script to create sftp users
#usage will be #sh  username
# Sftp root directory
# users can create/delete the files/folder only inside the upload/download folder  
useradd -G sftp  -s /bin/false -d $sftp_root_dir/$1  $1
chown root:root $sftp_root_dir/$1
chmod -R 0755 $sftp_root_dir/$1
cd  $sftp_root_dir/$1
rm -rf  .bash* .z* .mo* .e*
mkdir -p  $sftp_root_dir/$1/upload
mkdir -p  $sftp_root_dir/$1/download
chown -R $1 $sftp_root_dir/$1/upload $sftp_root_dir/$1/download
passwd $1

3 comments to Linux : Configuring secure sftp server

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>