How to Chroot SFTP Users on Linux for maximum security

Posted by Unknown Rabu, 05 Februari 2014 0 komentar
http://linuxaria.com/article/how-to-chroot-sftp-users-on-linux-for-maximum-security?lang=en

A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree. The term “chroot” may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a “chroot jail”. From Wikipedia.
Why it is required? If you want to set up your Linux box as a web hosting server for its users, you may need to give SFTP access. But they can get access to whole system Linux tree, just for reading but still very unsecure. So it is mandatory to lock them in their home directory.
There are many other applications, it’s just a common example, so lets start its configuration.



Linux Box Detail:

Its mine Linux Box, your Linux system may vary. Only thing to take care is the openssh-server version, because openssh-server-5.3p1 support SFTP chroot. Older version supports but its tricky, please let me k now if you want to know that too.
Operating System: CentOS 6.3/x86_64
Kernel Version: 2.6.32-279.19.1.el6/x86_64
Openssh Server Version: openssh-server-5.3p1-81.el6_3/x86_64
chroot

sshd Server Configuration:

Add the following tail output to your Linux box’s SSH
server configuration file /etc/ssh/sshd_config.
[rahulpanwar@myhost ~]# tail -6 /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group www-hosting
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Then restart sshd service to enable this configuration.
[rahulpanwar@myhost ~]# sudo /etc/init.d/sshd restart

Create Chroot Users:

[rahulpanwar@myhost ~]# sudo mkdir /etc/skel/public_html
[rahulpanwar@myhost ~]# sudo groupadd www-hosting
[rahulpanwar@myhost ~]# sudo useradd -s /sbin/nologin -g www-hosting linuxexplore.com

Setting Permissions:

[rahulpanwar@myhost ~]# sudo chown root:www-hosting /home/linuxexplore.com
[rahulpanwar@myhost ~]# sudo chmod 755 /home/linuxexplore.com
That’s all now create multiple users for web hosting, and offer the secure sftp access to your customers.

Shell Script to Create Web Hosting Users:

#!/bin/bash
HOSTING_DIR="/etc/skel/public_html"
CHROOT_GRP="www-hosting"
USR_NAME="$1"

[ ! -d "$HOSTING_DIR" ] && mkdir -p $HOSTING_DIR
grep ^"${CHROOT_GRP}:" /etc/group || /usr/sbin/groupadd www-hosting
grep ^"${USR_NAMEP}:" /etc/passwd || /usr/sbin/useradd -s /sbin/nologin -g $CHROO_GRP $USR_NAME
chown root:$CHROOT_GRP /home/$USR_NAME
chmod 755 /home/$USR_NAME

Selinux Configuration:

Disable the selinux permanently or configure it for read write user’s home directory in SSH chroot.
[rahulpanwar@myhost ~]# sudo setsebool -P ssh_chroot_rw_homedirs on
[rahulpanwar@myhost ~]# sudo restorecon -R /home/$USERNAME

Troubleshooting

sshd[3505]: fatal: bad ownership or modes for chroot directory "/home/linuxexplore.com"
It’s ChrootDirectory ownership problem, sshd will reject sftp connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd doesn’t consider secure. sshd’s apparently strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable for the owner. So, for example, if the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and have permissions like 755 or 750 ( group ownership should allow user to access ).
If you are using sftp with public key check the following link:
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=37903&forum=59
If chroot environment is in user’s home directory, make sure user have access to its home directory, or user would not be able to access its publickey, produce the error given in above CentOS forum link.
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: How to Chroot SFTP Users on Linux for maximum security
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke https://androidblackberries.blogspot.com/2014/02/how-to-chroot-sftp-users-on-linux-for.html. Terima kasih sudah singgah membaca artikel ini.

0 komentar:

Posting Komentar

Trik SEO Terbaru support Online Shop Baju Wanita - Original design by Bamz | Copyright of android blackberry.