SFTP Jail¶
About¶
These instructions describe how to set up a second sshd server, independent from the already-installed sshd, without the need for installing additional packages onto the system. The purposes for doing this may be numerous, but the purpose described here (specifically in the second section) is to provide a dedicated sftp server that jails all connecting users to their home directory.
The original instructions for running multiple ssh instances on Red Hat style systems were provided by Dale Dellutri at the address: http://fixunix.com/ssh/364505-running-multiple-sshd-instances-one-server.html
I have fleshed out the above instructions, modifying them for Debian and specifically to provide a second ssh instance which serves an sftp jail.
Create a second, independent sshd¶
The instructions below use ‘sftpjail’ because the next section of instructions pertains to only allowing users to sftp to their home directories. However, you can use a different name and configure the second ssh server to do whatever you want (like having an admin login that is treated with a higher priority by the firewall, or having a second sshd so that the primary sshd can be completely stopped/reconfigured, etc). The purpose and difference between the original sshd and your copy only lies in the options you use in their sshd_config files and how you treat their traffic.
1. Copy the ssh_config to a new file. Modify the new file to fit your requirements. For sftpjail purposes, no modifications should be needed.
cp -p /etc/ssh/ssh_config /etc/ssh/sftpjail_config
2. Copy the sshd_config to a new file. Modify this also to fit your needs. In particular, you should change one or more of ListenAddress and Port so that this sshd does not conflict with your normal sshd.
It is recommended to use different HostKey files. The generation of these files is explained in step 6. The paths for the sftpjail: /etc/ssh/sftpjail_host_rsa_key and /etc/ssh/sftpjail_host_dsa_key.
cp -p /etc/ssh/sshd_config /etc/ssh/sftpjaild_config
- Create a symlink to sshd named sftpjaild
cd /usr/sbin/
ln -s sshd sftpjaild
- Create a symlink to the pam.d ssh settings for the sftpjail.
cd /etc/pam.d/
ln -s sshd sftpjaild
5. Copy the service launching script. This file needs to be modified so that pretty much everywhere sshd is referenced sftpjaild should be substituted. This includes executables, config files, pid files and key files, for example. On CentOS/RHEL this file is sshd, not ssh.
cp -p /etc/init.d/ssh /etc/init.d/sftpjail
Also, on Debian add a -f option so that the sftpjaild_config file is used for configuration: SSHD_OPTS=”$SSHD_OPTS -f /etc/ssh/sftpjaild_config”, as shown below.
# Look for this section:
if [ -n "$2" ]; then
SSHD_OPTS="$SSHD_OPTS $2"
fi
# Add this line:
SSHD_OPTS="$SSHD_OPTS -f /etc/ssh/sftpjaild_config"
Also on Debian, change Required-Start to $all to prevent this ssh process from binding and preventing your normal sshd from starting.
# Required-Start: $all
6. Add the service to the init scripts and generate the new HostKey files. Finally, start the service.
On Debian:
update-rc.d sftpjail defaults
ssh-keygen -b 2048 -t rsa -f /etc/ssh/sftpjail_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/sftpjail_host_dsa_key
/etc/init.d/sftpjaild start
On CentOS/RHEL:
chkconfig --add sftpjaild
service sftpjaild start # this will automatically create specified keys
Configure sftp only and jailing¶
1. In sftpjaild_config, add the following to the end of the file. This jails the user to their home directory, but you may change the directory mapping, or jail them to a directory within their home, such as /home/%u/public_html. In order for jailing to work, the ChrootDirectory must be owned by root.
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
2. The above will result in jailing every user that connects to this sshd server. If you would rather control which users are jailed and which are not, then instead add the additional Match directive as shown below and also follow steps 3 and 4.
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
- Create the sftpjail group.
groupadd sftpjail
4. Add user(s) to sftpjail group. These users will be jailed. Users not in this group will not be jailed, and sftp will work normally for them.
usermod -a -G sftpjail [username]
Also, if your users are only going to be uploading files for the web, then change their primary group to www-data (Debian) or apache (CentOS/RHEL).
usermod -g www-data [username]
5. Optionally, you may wish to restrict sftp users login capabilities more. If the user is not supposed to ever have console access, disable their login shell.
usermod -s /bin/false [username]
6. Also optionally, you may wish to further restritct those who can log into the sftp server by adding more options to the sftpjaild_config. If you are using the sftpjail group as described above, you may want only jailed users to use this server (AllowGroups). Or, if you are not using an sftpjail group you can still restrict the use of the sftp server on a per user basis (AllowUsers).
AllowGroups sftpjail
or
AllowUsers username
7. Restart ssh and celebrate by giving to charity or getting me something on my wish list.
/etc/init.d/sftpjail restart