# Chrooted SFTP-only access

## Dagger

Greetings everyone,

Recently my company decided to switch all the clients which were still using FTP protocol to new much more secure SFTP.

SFTP possess numerous advantages over FTP protocol and it's much more firewall friendly. Of course there are also disadvantages about SFTP, like the one we (by default) give SSH access to users, what generally means users can access external directories. Of course we can play around it, and restrict file read permissions, but its probably not what we want. The best option is of course to chroot jail user to his home directory. Most of solutions available online requires you to copy some parts of /bin /lib and other directories to user home directory. Well not too effective and elegant solution, but works. This solution might also be a pain if you need to update your SSH. Recently I found a perfect solution which gives you clean home directory, and it almost doesn't require any maintenance. Below you can find the link to it's home page:

http://www.minstrel.org.uk/papers/sftp/

This solution is great if:

    *  You want to give file upload/download access to your users;

    * You don't want to give shell access to your users;

    * You want to keep maintenance overhead to a minimum when upgrading OpenSSH. 

I've done custom ebuild which includes patch prepared by this author, which makes life so much easier, since emerge will do the bigger part for you. It doesn't mean it will do everything for you tho, you will still need to follow few simple steps.

We can divide the process to two parts. First parts will give us CHROOT'ed SFTP access, and the second one will restrict access to SFTP protocol only.

Below you can find step-by-step guide for part one:

1. download ebuild from:

https://db12.edigitalresearch.com/stuff/openssh-4.6_p1-r99.ebuild or www.minstrel.org.uk/papers/sftp/openssh-4.6_p1-r99.ebuild and move it to "/usr/portage/net-misc/openssh/"

2. Update file manifest (ebuild /usr/portage/net-misc/openssh/openssh-4.6_p1-r99.ebuild digest)

3. Emerge openssh with sftp flag (USE="sftp" emerge =openssh-4.6_p1-r99 or echo =net-misc/openssh-4.6_p1-r99 sftp >> /etc/portage/package.use)

4. 'chroot' can only be executed by the root account, so sftp-server needs to run with root privileges - therefore use chmod +s /usr/lib/misc/sftp-server

5. Restart sshd

When you're done with part one you can proceed to part two:

1. Download sftpsh.c shell from:

http://www.minstrel.org.uk/papers/sftp/sftpsh.c

2. Modify the line 30 to look like:

```

#define SFTP_BINARY "/usr/lib/misc/sftp-server"

```

3. Compile this program using the command "gcc sftpsh.c -o sftpsh"

4. Copy the new shell to your system path, using the command "cp sftpsh /bin"

5. Make sure the new shell is recognised by the system, by adding it to /etc/shells - use the command "echo /bin/sftpsh >> /etc/shells"

Now you can assign new SFTP-only shell for all users who should have SFTP-only access.

1. Use "usermod -s /bin/sftpsh username". 

2. Modify user home directory from "/home/username" to "/home/username/./" This will chroot user to "/home/username". If you want to chroot to let's say "/home" that use "/home/./username" as home directory; "/./" will always become user root directory. 

3. Make sure your user has access to it's home directory by checking/setting read/write access "chmod -R username:users /home/username"

Well, that's it. All you need to do now is test the setup - use sftp username@hostname.org and make sure you can't change directory out of the chroot'd environment. Also check access is denied when using ssh username@hostname.org

I would like to thank Peter Bance for his hard work by gathering all pieces together and also for his patience when I was bombarding his email box!

----------

## elgato319

I prefer pure-ftpd with TLS connections allowed only.

This way it's very secure and easy to manage. You can use pure-pw or a mysql backend.

----------

## TheMinstrel

Since version 4.9, this functionality is now included in OpenSSH.  I've written up how I've migrated away from my old solution now:

HOWTO: chroot SFTP (only) - OpenSSH Built-in Version

Nice not to have to custom-code each time there's an update to OpenSSH!

Hope this helps.

--

Minstrel

http://www.minstrel.org.uk/

----------

