Monday, 3 December 2012

OpenSSH Chroot Sftp Setup in Linux

  In   *nix  like  operating systems, the  “chroot”  is  the term  that  alters the  effective root directory of  a user  to one  specified  by the root user.  Any resource  outside  the  chrooted  environment (jail)  would  be inaccessible  to   user . Without  the  chroot environment, an unprivileged user  or  an attacker  would  be  still able to  navigate  to top-level  directories  like  /etc , /home/otherusers , /usr , /var, /lib etc., 
   
Standard SFTP setup without chroot

login@remoteserver$sftp secuser@fileserver
Connecting to 192.168.12.4...
secuser@192.168.12.4's password:
sftp> cd /
sftp> ls -lrt
bin/
boot/
dev/
etc/
export/
home/
lib/
lost+found/
media/
...
...

The traversing of server's directory will be the security breach and harmful to the data, to avoid that Openssh comes with chroot option for secure file transfer.

Its Only applicable to SFTP not for SSH and SCP mode of connection

The  following  lines are  added in the bottom of the  /usr/local/etc/sshd_config  file (upgraded OpenSSH location)

root@fileserver#vi /usr/local/etc/sshd_config
::::::
Subsystem      sftp    internal-sftp
Match Group chroot
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

 

    This  will chroot  any user  in the group  chroot  into their  home directory . Inorder   to  chroot  for  the particular  user,  it  should  be  defined  %h  (home directory) as  the Chroot Directory. 

    Once  completed  restart  the   sshd service  using  the  following  command.

root@fileserver#/etc/init.d/sshd restart

Create a Chroot SFTP user in the fileserver

  Add  the  chroot  group as mentioned  in the sshd_config  file  and  add  user  which should  be  in chroot as mentioned below, with  /bin/false  as  shell  and primary group as chroot.

#groupadd chroot
#useradd -g chroot -d /export/home/secuser -s /bin/false secuser
#id secuser
uid=520(secuser) gid=522(chroot) groups=522(chroot)

File Permissions for Chroot SFTP user
The following are the permissions to be set for the Chroot SFTP user
#chmod 750 /export/home/secuser
#chown root:chroot /export/home/secuser
#ls -ld /export/home/secuser
drwxr-x-- 2 root chroot 4096 Nov 30 11:05 /export/home/secuser
#cd /export/home/secuser
#mkdir incoming outgoing .ssh
#chown -R secuser:chroot incoming outgoing .ssh
#chmod 700 incoming outgoing
#chmod 500 .ssh

Note:
The  .ssh directory  should be set  mentioned  above  permission, by  doing  that  no one can put  or remove or alter  the files like  authorized_keys  in the  .ssh  folder other than root. 


Remove the following default files in the home directory of chroot login
root@fileserver#rm -rf .mozilla .emacs .bashrc .bash_profile .bash_logout
root@fileserver#ls -lah
drwxr-xr-x 5 root    chroot 4.0K Dec 19  2011 .
drwxr-xr-x 3 root    chroot 4.0K Dec 19  2011 ..
drwx------ 2 secuser chroot 4.0K Jan  6  2012 incoming
drwx------ 2 secuser chroot 4.0K Jan 10  2012 outgoing
dr-x------ 2 secuser chroot 4.0K Dec 16  2011 .ssh


Testing the Chroot sftp setup from anyother server
login@remoteserver$sftp secuser@fileserver
Connecting to 192.168.12.4...
secuser@192.168.12.4's password:
sftp> cd /
sftp> pwd
Remote working directory: /
sftp> ls -la
drwxr-xr-x 5 0 522 4.0K Dec 19  2011 .
drwxr-xr-x 3 0 522 4.0K Dec 19  2011 ..
drwx------ 2 0 522 4.0K Jan  6  2012 incoming
drwx------ 2 0 522 4.0K Jan 10  2012 outgoing
dr-x------ 2 0 522 4.0K Dec 16  2011 .ssh
sftp>cd incoming
sftp> put test
uploading test to /incoming/test
test
sftp>


Thats it, chroot sftp setup for secure file transfer has been completed ... the remote user can't traverse to the actual root directory and see the server files. All the communications are happened within the directory inside the chroot login.

No comments:

Post a Comment