Creating a group and configuring the sshd_config file

With the exception of the slight difference in user-creation commands, this procedure works the same for either CentOS or Ubuntu. So, you can use either one of your virtual machines to follow along. We'll begin by creating an sftpusers group.

sudo groupadd sftpusers

Create the user accounts, and add them to the sftpusers group. We'll do both operations in one step. On your CentOS machine, the command for creating Max's account would be:

sudo useradd -G sftpusers max

On your Ubuntu machine, it would be:

sudo useradd -m -d /home/max -s /bin/bash -G sftpusers max

Open the /etc/ssh/sshd_config file in your favorite text editor. Find the line that says:

Subsystem sftp /usr/lib/openssh/sftp-server

Change it to:

Subsystem sftp internal-sftp

This setting allows you to disable normal SSH login for certain users.

At the bottom of the sshd_config file, add a Match Group stanza:

Match Group sftpusers
        ChrootDirectory /home
        AllowTCPForwarding no
        AllowAgentForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

An important consideration here is that the ChrootDirectory has to be owned by the root user, and it can't be writable by anyone other than the root user. When Max logs in, he'll be in the /home directory, and will then have to cd into his own directory. This also means that you want for all users' home directories to have the restrictive 700 permissions settings, in order to keep everyone out of everyone else's stuff.

Save the file and restart the SSH daemon. Then, try to log on as Max through normal SSH, just to see what happens:

donnie@linux-0ro8:~> ssh [email protected]
[email protected]'s password:
This service allows sftp connections only.
Connection to 192.168.0.8 closed.
donnie@linux-0ro8:~>

Okay, so he can't do that. Let's now have him try to log in through SFTP, and verify that he is in the /home directory:

donnie@linux-0ro8:~> sftp [email protected]
[email protected]'s password:
Connected to 192.168.0.8.
drwx------    7 1000     1000         4096 Nov  4 22:53 donnie
drwx------    5 1001     1001         4096 Oct 27 23:34 frank
drwx------    3 1003     1004         4096 Nov  4 22:43 katelyn
drwx------    2 1002     1003         4096 Nov  4 22:37 max
sftp>

Now, let's see him try to cd out of the /home directory:

sftp> cd /etc
Couldn't stat remote file: No such file or directory
sftp>

So, our chroot jail does indeed work.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.165.62