There has been much talk about the FTP protocol lately and everything indicates that it is outdated and that it has ceased to be secure, all this is compounded because today we have a safer alternative known as SFTP
(Secure File Transfer Protocol)
. In this article I will show
how to configure our SFTP server to only allow the use of SFTP and not allow using SSH (Chroot SFTP) commands
.
All tests have been performed on a
DigitalOcean VPS server
running Ubuntu 14.04 x64 operating system.
Introduction to SFTP access without Shell in Ubuntu
The first thing we have to know is that the SFTP protocol is more secure because authentication is done through SSH, so
SFTP is considered as an extension of the SSH protocol specially designed to transfer and manage files
.
The problem that we encounter with the default configuration in Ubuntu, is that a user who needs access through SFTP, also has to have access through SSH being able to execute all kinds of commands that can compromise our server.
What we are going to learn in this article is how to allow a user access through SFTP but without allowing SSH access.
In addition, we are going to
"cage"
the user in his
home
folder so that he cannot freely access the rest of the files on the server as it could compromise the security of the server. This is what is known as making Chroot to SFTP users, that is, limiting their permissions so that they can only access files / folders in their
home
folder.
Configure the SFTP server to limit SSH access (restrict access to the terminal)
In this section I could show several configurations according to the users' organizational needs, I am going to show a very simple configuration that allows you to understand the process, so that later you can adjust it to your needs.
First we will create a user named
"sftptest"
to which we will give SFTP access, for this we execute the command:
adduser sftptest
Then we remove the permissions to the user to access the shell / terminal with the following command:
chsh -s /bin/false sftptest
Now the user cannot access through SSH or execute commands in the terminal.
The next step will be to create a user group called
"sftpusers"
to which we will restrict your access so that you can use only SFTP:
addgroup sftpusers
Now we add to this group the user we created before:
gpasswd -a sftptest sftpusers
Then we modify the file
/etc/ssh/sshd_config
, I use the
nano
editor of the terminal.
The first thing is to look for the line:
Subsystem sftp /usr/lib/openssh/sftp-server
We leave it commented
(adding the
#
character at the beginning of the line)
and add just below the following line so that the result is as follows:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
At the end of the file
(very important that it is at the end or it won't work)
we add the following lines:
Match Group sftpusers
ChrootDirectory /home
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Finally we restart the SSH service with the command:
service ssh restart
Now all users accessing through SFTP will be locked in the
/home
folder.
It is very important that this folder owns the root user or it will not work.
In other words, the folder where we do the Chroot must have the root user as its owner. The
/home
folder in Ubuntu by default owns the root user, so we do not need to modify anything, but that you know that the command to change ownership to a folder would be something like the following:
chown root:root /carpeta/usuario/sftp/archivos
If you have several users and you want them to not be able to access each other's folders, you must change the permissions of their home folder with the following command:
chmod 700 /home/usuario
In our example the command would be:
chmod 700 /home/sftptest
You should know that this directory structure / premises although it does not allow access to a user's home folder by other users, it does allow to list all users with SFTP access. If you need a more restrictive configuration, you may have to use the
Match User usuario
and
ChrootDirectory %h
in the configuration of the
/etc/ssh/sshd_config
(this article is basic, so I will not go into explaining this advanced configuration, maybe later)
.
Finally, leave the note that to access through SFTP you can use
FileZilla by
placing in the field Server
sftp://
followed by the ip of your server, for example
sftp://128.50.50.50
.
I hope you found the article useful and if you have any doubts, do not hesitate to use the comments.