In *nix like operating systems, the “chroot” is the term that alters the effective root directory of a user to one specified by the root user. Any resource outside the chrooted environment (jail) would be inaccessible to user . Without the chroot environment, an unprivileged user or an attacker would be still able to navigate to top-level directories like /etc , /home/otherusers , /usr , /var, /lib etc.,
Standard SFTP setup without chroot
login@remoteserver$sftp secuser@fileserver
Connecting to 192.168.12.4...
secuser@192.168.12.4's password:
sftp> cd /
sftp> ls -lrt
bin/
boot/
dev/
etc/
export/
home/
lib/
lost+found/
media/
...
...
The traversing of server's directory will be the security breach and harmful to the data, to avoid that Openssh comes with chroot option for secure file transfer.
Its Only applicable to SFTP not for SSH and SCP mode of connection
The following lines are added in the bottom of the /usr/local/etc/sshd_config file (upgraded OpenSSH location)
root@fileserver#vi /usr/local/etc/sshd_config
::::::
Subsystem sftp internal-sftp
Match Group chroot
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
This will chroot any user in the group chroot into their home directory . Inorder to chroot for the particular user, it should be defined %h (home directory) as the Chroot Directory.
Once completed restart the sshd service using the following command.
root@fileserver#/etc/init.d/sshd restart
Create a Chroot SFTP user in the fileserver
Add the chroot group as mentioned in the sshd_config file and add user which should be in chroot as mentioned below, with /bin/false as shell and primary group as chroot.
#groupadd chroot
#useradd -g chroot -d /export/home/secuser -s /bin/false secuser
#id secuser
uid=520(secuser) gid=522(chroot) groups=522(chroot)
File Permissions for Chroot SFTP user
The following are the permissions to be set for the Chroot SFTP user
#chmod 750 /export/home/secuser
#chown root:chroot /export/home/secuser
#ls -ld /export/home/secuser
drwxr-x-- 2 root chroot 4096 Nov 30 11:05 /export/home/secuser
#cd /export/home/secuser
#mkdir incoming outgoing .ssh
#chown -R secuser:chroot incoming outgoing .ssh
#chmod 700 incoming outgoing
#chmod 500 .ssh
Note:
The .ssh directory should be set mentioned above permission, by doing that no one can put or remove or alter the files like authorized_keys in the .ssh folder other than root.
Remove the following default files in the home directory of chroot login
root@fileserver#rm -rf .mozilla .emacs .bashrc .bash_profile .bash_logout
root@fileserver#ls -lah
drwxr-xr-x 5 root chroot 4.0K Dec 19 2011 .
drwxr-xr-x 3 root chroot 4.0K Dec 19 2011 ..
drwx------ 2 secuser chroot 4.0K Jan 6 2012 incoming
drwx------ 2 secuser chroot 4.0K Jan 10 2012 outgoing
dr-x------ 2 secuser chroot 4.0K Dec 16 2011 .ssh
Testing the Chroot sftp setup from anyother server
login@remoteserver$sftp secuser@fileserver
Connecting to 192.168.12.4...
secuser@192.168.12.4's password:
sftp> cd /
sftp> pwd
Remote working directory: /
sftp> ls -la
drwxr-xr-x 5 0 522 4.0K Dec 19 2011 .
drwxr-xr-x 3 0 522 4.0K Dec 19 2011 ..
drwx------ 2 0 522 4.0K Jan 6 2012 incoming
drwx------ 2 0 522 4.0K Jan 10 2012 outgoing
dr-x------ 2 0 522 4.0K Dec 16 2011 .ssh
sftp>cd incoming
sftp> put test
uploading test to /incoming/test
test
sftp>
Thats it, chroot sftp setup for secure file transfer has been completed ... the remote user can't traverse to the actual root directory and see the server files. All the communications are happened within the directory inside the chroot login.
Standard SFTP setup without chroot
login@remoteserver$sftp secuser@fileserver
Connecting to 192.168.12.4...
secuser@192.168.12.4's password:
sftp> cd /
sftp> ls -lrt
bin/
boot/
dev/
etc/
export/
home/
lib/
lost+found/
media/
...
...
The traversing of server's directory will be the security breach and harmful to the data, to avoid that Openssh comes with chroot option for secure file transfer.
Its Only applicable to SFTP not for SSH and SCP mode of connection
The following lines are added in the bottom of the /usr/local/etc/sshd_config file (upgraded OpenSSH location)
root@fileserver#vi /usr/local/etc/sshd_config
::::::
Subsystem sftp internal-sftp
Match Group chroot
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
This will chroot any user in the group chroot into their home directory . Inorder to chroot for the particular user, it should be defined %h (home directory) as the Chroot Directory.
Once completed restart the sshd service using the following command.
root@fileserver#/etc/init.d/sshd restart
Create a Chroot SFTP user in the fileserver
Add the chroot group as mentioned in the sshd_config file and add user which should be in chroot as mentioned below, with /bin/false as shell and primary group as chroot.
#groupadd chroot
#useradd -g chroot -d /export/home/secuser -s /bin/false secuser
#id secuser
uid=520(secuser) gid=522(chroot) groups=522(chroot)
File Permissions for Chroot SFTP user
The following are the permissions to be set for the Chroot SFTP user
#chmod 750 /export/home/secuser
#chown root:chroot /export/home/secuser
#ls -ld /export/home/secuser
drwxr-x-- 2 root chroot 4096 Nov 30 11:05 /export/home/secuser
#cd /export/home/secuser
#mkdir incoming outgoing .ssh
#chown -R secuser:chroot incoming outgoing .ssh
#chmod 700 incoming outgoing
#chmod 500 .ssh
Note:
The .ssh directory should be set mentioned above permission, by doing that no one can put or remove or alter the files like authorized_keys in the .ssh folder other than root.
Remove the following default files in the home directory of chroot login
root@fileserver#rm -rf .mozilla .emacs .bashrc .bash_profile .bash_logout
root@fileserver#ls -lah
drwxr-xr-x 5 root chroot 4.0K Dec 19 2011 .
drwxr-xr-x 3 root chroot 4.0K Dec 19 2011 ..
drwx------ 2 secuser chroot 4.0K Jan 6 2012 incoming
drwx------ 2 secuser chroot 4.0K Jan 10 2012 outgoing
dr-x------ 2 secuser chroot 4.0K Dec 16 2011 .ssh
Testing the Chroot sftp setup from anyother server
login@remoteserver$sftp secuser@fileserver
Connecting to 192.168.12.4...
secuser@192.168.12.4's password:
sftp> cd /
sftp> pwd
Remote working directory: /
sftp> ls -la
drwxr-xr-x 5 0 522 4.0K Dec 19 2011 .
drwxr-xr-x 3 0 522 4.0K Dec 19 2011 ..
drwx------ 2 0 522 4.0K Jan 6 2012 incoming
drwx------ 2 0 522 4.0K Jan 10 2012 outgoing
dr-x------ 2 0 522 4.0K Dec 16 2011 .ssh
sftp>cd incoming
sftp> put test
uploading test to /incoming/test
test
sftp>
Thats it, chroot sftp setup for secure file transfer has been completed ... the remote user can't traverse to the actual root directory and see the server files. All the communications are happened within the directory inside the chroot login.
