by

Setting up a chrooted SFTP server on CentOS 7 (systemd)

SFTP is the preferred way to share files with other users and is more secure than plain FTP. The default port which SFTP listens on is 21. The steps to setup a chrooted SFTP on a CentOS 7 server are:

  1. SSH installation and enabling at server boot

    Since SFTP is a subsystem of SSH, we would require to install SSH and enable it to start at each server reboot.

    1. Install OpenSSH server.
      Note: Most of the standard linux server installs already have OpenSSH-server package installed, you might want to skip this step.
      Also, in case you are connecting to the server remotely using SSH, skip this step and goto next one.

      yum -y install openssh-server openssh-clients
    2. Configure the SSH to start automatically at server boot.
      systemctl enable sshd
    3. Start the SSH service.
      systemctl start sshd
  2. Setup the SSH daemon

    Open the file /etc/ssh/sshd_config in a text editor like vi or nano

    1. Comment the following line by adding a # sign at the beginning of the line
      #Subsystem sftp /usr/local/libexec/sftp-server
    2. Paste the following line below it
      Subsystem sftp internal-sftp
    3. Scroll down to the end of the config file and paste the following lines to create a matching group for the above rule. Then save and exit the sshd_config file.
      Match Group sftponly
          ChrootDirectory %h
          ForceCommand internal-sftp
          X11Forwarding no
          AllowTcpForwarding no
  3. Restart the SSH daemon
    systemctl restart sshd
  4. Create the new group for SFTP

    We are using the groupname sftponly as described in the Match Group rules in the sshd_config above.
    You may change the group name as per your convenience, but then remember to change the Match Group in the sshd_config above to match it with the new name.

    groupadd sftponly
  5. Adding a user

    We are creating a new user by the name of john who would be able to login to SFTP and manage his own files only.
    Note: The user John cannot login to the server using SSH with the same credentials. The sole purpose of this user is to allow him to access the SFTP subsystem. His login shell is set to /bin/false intentionally.

    useradd john -g sftponly -s /bin/false
    passwd john
  6. Setting up the permissions on the directories for the user to read and write data

    Since we are setting up a jailed environment for the user, we would have to set necessary permissions on the directories we are giving access to. This means that no two users can view or modify each other’s data.

    mkdir /home/john/datadir
    chown root /home/john
    chmod 755 /home/john
    chown john /home/john/datadir
    chmod 755 /home/john/datadir
  7. SELinux configuration

    In case you are using SELinux as an additional security feature, you will have to edit the SELinux policy permissions to allow the users to read and write in to their home directories

    setsebool -P ssh_chroot_rw_homedirs on

 

Share your views

Comment

  1. Nice post, thank you.
    “The default port which SFTP listens on is 21”
    Isn’t that the default for FTP? I thought SFTP was 22?