For this lab, you can use either the CentOS VM or the Ubuntu VM. You'll add a group, then configure the sshd_config file to allow group members to only be able to log in via SFTP, and then confine them to their own directories. For the simulated client machine, you can use the Terminal of your macOS or Linux desktop machine, or any of the available Bash shells from your Windows machine. Let's get started:
- Create the sftpusers group:
sudo groupadd sftpusers
- Create a user account for Max and add him to the sftpusers group. On CentOS, do the following:
sudo useradd -G sftpusers max
On Ubuntu, do the following:
sudo useradd -m -d /home/max -s /bin/bash -G sftpusers max
- For Ubuntu, ensure that the users' home directories are all set with read, write, and execute permissions for only the directory's user. If that's not the case, do the following:
sudo chmod 700 /home/*
- Open the /etc/ssh/sshd_config file in your preferred text editor. Find the line that says the following:
Subsystem sftp /usr/lib/openssh/sftp-server
Change it to the following:
Subsystem sftp internal-sftp
- At the end of the sshd_config file, add the following stanza:
Match Group sftpusers
ChrootDirectory /home
AllowTCPForwarding no
AllowAgentForwarding no
X11Forwarding no
ForceCommand internal-sftp
- Restart the SSH daemon. On CentOS, do the following:
sudo systemctl sshd restart
On Ubuntu, do the following:
sudo systemctl ssh restart
- Have Max try to log in through normal SSH, to see what happens:
ssh max@IP_Address_of_your_vm
- Now, have Max log in through SFTP. Once he's in, have him try to cd out of the /home directory:
sftp max@IP_Address_of_your_vm
You've reached the end of the lab – congratulations!
Now that you know how to securely configure SFTP, let's look at how to securely share a directory.