вторник, април 05, 2022

Linux, allow SFTP only users (with shared and chroot-ed env)

Users must upload/download files only via sftp/scp (no ssh, local login) to a pre-defined directory.

Users must not browse other directories or list directory tree.

Multiply users may share single directory (e.g. list of users assotiated with particular organization)

1. Creating of local users and home/upload dir structure

adduser --no-create-home --home /opt/sftp/chroot/org1 --shell /bin/nosuch u1

adduser --no-create-home --home /opt/sftp/chroot/org1 --shell /bin/nosuch u2

addgroup sftp

adduser u1 sftp

adduser u2 sftp

mkdir -p /opt/sftp/chroot/org1/upload

chmod -R 0755 /opt/sftp/chroot/org1  # 755 is must

chown -R root:root /opt/sftp/chroot/org1 # owner=root is must

chgrp sftp /opt/sftp/chroot/org1/upload

chmod 0764 /opt/sftp/chroot/org1/upload


2. Edit sshd_config (after UsePAM yes)


Subsystem sftp internal-sftp -l VERBOSE -f LOCAL3 # VERBOSE and LOCAL3 are used for logging via rsyslog.d/sftp.log

Match Group sftp # only users members of sftp group are allowed

ChrootDirectory %h # chrooted to $HOME_DIR e.g. /opt/sftp/chroot/org1

 AllowTcpForwarding no

 X11Forwarding no

 ForceCommand internal-sftp  -l VERBOSE -f AUTHPRIV # force to use only sftp/scp but not ssh -> shell=/bin/such helps too


service sshd restart


3. Update rsyslog configuration by editing /etc/rsyslog.d/sftp_log.conf

input(type="imuxsock" Socket="/opt/sftp/chroot/org1/dev/log" CreatePath="on")

local3.*                                                /var/log/sftp_org1.log

AUTHPRIV.*                                                /var/log/sftp_org1.log


4. Test 

tail -n 20 /var/log/sftp_org1.log

Apr  5 17:42:53 vs sshd[32700]: pam_unix(sshd:session): session opened for user u1 by (uid=0)

Apr  5 17:42:54 vs internal-sftp[32723]: session opened for local user u1 from [1.2.3.4]

Apr  5 17:42:54 vs internal-sftp[32723]: received client version 3

Apr  5 17:42:54 vs internal-sftp[32723]: realpath "."

Apr  5 17:43:04 vs internal-sftp[32723]: realpath "/up"

Apr  5 17:43:05 vs internal-sftp[32723]: stat name "/up"

Apr  5 17:43:06 vs internal-sftp[32723]: opendir "/up"

Apr  5 17:43:06 vs internal-sftp[32723]: closedir "/up"

Apr  5 17:43:19 vs internal-sftp[32723]: opendir "/up/"

Apr  5 17:43:19 vs internal-sftp[32723]: closedir "/up/"

Apr  5 17:43:19 vs internal-sftp[32723]: lstat name "/up/file1.txt"

Apr  5 17:43:20 vs internal-sftp[32723]: remove name "/up/file1.txt"

Apr  5 17:43:23 vs internal-sftp[32723]: open "/up/file2.sftp" flags WRITE,CREATE,TRUNCATE mode 0644

Apr  5 17:43:23 vs internal-sftp[32723]: close "/up/file2.sftp" bytes read 0 written 854

Apr  5 17:43:27 vs internal-sftp[32723]: lstat name "/up/file2.sftp"

Apr  5 17:43:27 vs internal-sftp[32723]: stat name "/up/file2.sftp"

Apr  5 17:43:27 vs internal-sftp[32723]: open "/up/file2.sftp" flags READ mode 0666

Apr  5 17:43:27 vs internal-sftp[32723]: close "/up/file2.sftp" bytes read 854 written 0

Apr  5 17:43:36 vs internal-sftp[32723]: session closed for local user u1 from [1.2.3.4]

Apr  5 17:43:36 vs sshd[32700]: pam_unix(sshd:session): session closed for user u1



Публикувано от в Няма коментари:
Етикети: , , , , ,
Абонамент за: Публикации (Atom)