+4 votes
253 views
SFTP access without Shell or Chroot SFTP in Ubuntu

in Guides by (552k points)
reopened | 253 views

1 Answer

+5 votes
Best answer

Introduction to SFTP access without Shell in Ubuntu
Configure the SFTP server to limit SSH access (restrict access to the terminal)

There has been much talk about the FTP protocol lately and everything indicates that it is outdated and that it has ceased to be secure, all this is compounded because today we have a safer alternative known as SFTP (Secure File Transfer Protocol) . In this article I will show how to configure our SFTP server to only allow the use of SFTP and not allow using SSH (Chroot SFTP) commands .

image

All tests have been performed on a DigitalOcean VPS server running Ubuntu 14.04 x64 operating system.

Introduction to SFTP access without Shell in Ubuntu

The first thing we have to know is that the SFTP protocol is more secure because authentication is done through SSH, so SFTP is considered as an extension of the SSH protocol specially designed to transfer and manage files .

The problem that we encounter with the default configuration in Ubuntu, is that a user who needs access through SFTP, also has to have access through SSH being able to execute all kinds of commands that can compromise our server.

What we are going to learn in this article is how to allow a user access through SFTP but without allowing SSH access. In addition, we are going to "cage" the user in his home folder so that he cannot freely access the rest of the files on the server as it could compromise the security of the server. This is what is known as making Chroot to SFTP users, that is, limiting their permissions so that they can only access files / folders in their home folder.

Configure the SFTP server to limit SSH access (restrict access to the terminal)

In this section I could show several configurations according to the users' organizational needs, I am going to show a very simple configuration that allows you to understand the process, so that later you can adjust it to your needs.

First we will create a user named "sftptest" to which we will give SFTP access, for this we execute the command:
adduser sftptest

Then we remove the permissions to the user to access the shell / terminal with the following command:
chsh -s /bin/false sftptest

Now the user cannot access through SSH or execute commands in the terminal.

The next step will be to create a user group called "sftpusers" to which we will restrict your access so that you can use only SFTP:
addgroup sftpusers

Now we add to this group the user we created before:
gpasswd -a sftptest sftpusers

Then we modify the file /etc/ssh/sshd_config , I use the nano editor of the terminal.

The first thing is to look for the line:
Subsystem sftp /usr/lib/openssh/sftp-server

We leave it commented (adding the # character at the beginning of the line) and add just below the following line so that the result is as follows:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

At the end of the file (very important that it is at the end or it won't work) we add the following lines:

Match Group sftpusers
        ChrootDirectory /home
        ForceCommand internal-sftp
        AllowTCPForwarding no
        X11Forwarding no

Finally we restart the SSH service with the command:
service ssh restart

Now all users accessing through SFTP will be locked in the /home folder. It is very important that this folder owns the root user or it will not work. In other words, the folder where we do the Chroot must have the root user as its owner. The /home folder in Ubuntu by default owns the root user, so we do not need to modify anything, but that you know that the command to change ownership to a folder would be something like the following:
chown root:root /carpeta/usuario/sftp/archivos

If you have several users and you want them to not be able to access each other's folders, you must change the permissions of their home folder with the following command:
chmod 700 /home/usuario

In our example the command would be:
chmod 700 /home/sftptest

You should know that this directory structure / premises although it does not allow access to a user's home folder by other users, it does allow to list all users with SFTP access. If you need a more restrictive configuration, you may have to use the Match User usuario and ChrootDirectory %h in the configuration of the /etc/ssh/sshd_config (this article is basic, so I will not go into explaining this advanced configuration, maybe later) .

Finally, leave the note that to access through SFTP you can use FileZilla by placing in the field Server sftp:// followed by the ip of your server, for example sftp://128.50.50.50 .

I hope you found the article useful and if you have any doubts, do not hesitate to use the comments.


by (3.5m points)

Related questions

+4 votes
1 answer
+3 votes
1 answer
asked Aug 9, 2019 in Guides by backtothefuture (552k points) | 211 views
+4 votes
1 answer
+4 votes
1 answer
+4 votes
1 answer
asked Aug 9, 2019 in Guides by backtothefuture (552k points) | 253 views
Sponsored articles cost $40 per post. You can contact us via Feedback

Most popular questions within the last 30 days

10,659 questions
10,791 answers
510 comments
3 users