This came up today where I needed to give secure file transfer to customers. To complicate things I had to use an out-of-the-box RHEL6 system. The obvious answer was to use SSH and limit those users to SFTP only. Locking them into a chroot was not a requirement, but it seemed like a good idea to me. I found plenty of docs that got 80% of the way, or took a shortcut, but this should be complete.
The basic steps are:
Without further ado, lets get started. It should only take about 10 minutes, nothing here is especially complex.
Create a group that is limited to SFTP only and a user to be in that group.
groupadd sftponly useradd sftptest usermod -aG sftponly sftptest
Now you need to make a little change to
will be a Subsystem line for
sftp which you need to change to read:
Subsystem sftp internal-sftp
Now you need to create a block at the end to limit members of a group (ie the sftponly group you created above) and chroot them. Simply add the following to the end of the file:
Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
These changes will require a reload of the SSH daemon:
service sshd reload
Now you need to make some file permission changes. For some reason which I cannot work out for now, the home directory must be owned by root and have the permissions 755. So we will also need to make a folder in the home directory to upload to and make that owned by the user.
sudo -u sftptest mkdir -pv /home/sftptest/upload chown root. /home/sftptest chmod 755 /home/sftptest chgrp -R sftponly /home/sftptest
The last thing we need to do is tell SELinux that we want to upload files via SFTP to a chroot as it is read-only by default. Of course you are running SELinux in enforcing mode aren\'t you :)
setsebool -P ssh_chroot_rw_homedirs on
Now from another console you can sftp to your server
sftp [email protected]<server>
You should then be able to put a file in your upload folder. However if you try to ssh to the server as the user sftptest it should tell you to go away. Of course you should be able to ssh as your normal user with no problem. Pro tip: make sure to leave a root terminal open just in case.