SFTP Only Chroot Jail (OpenSSH v6)

Intro

This tutorial is a follow-up to the version 6 update of OpenSSH. Since version 5, jailing has been natively supported.

NOTE: This tutorial is for attempting to jail users to their home directory and allowing them ONLY sftp access.

NOTE: This works and has been tested on centos 6.3

What it does

This will majorly increase security for a multi-user server. The main things it does are:

Lock users to their home directory
--This blocks their eyes from the rest of your system and from files like: system binaries, other users' files, backups, configuration files

Disable regular ssh access
--Many users just having a web site won't need an actual command interface. Its just one more thing to be hacked.

---

FTP already does this!!! right?
Yes, but your forgetting one thing... this is SFTP!!! It's encrypted and so it is much harder for hackers to sniff packets. Also, the user management is at the system level, so your server tells users what they can and can't do. If your FTPd runs as root or with a high permissions level and a ftp user hacks it, it means they have root or at least high permissions over the ENTIRE server? Not anymore.

Package names updated as of 07/15/2014

The Tutorial

This tutorial uses the /opt directory to install the necessary dependences. If you wish to install them anywhere else or do not have an opt directory on your server you may do so, but make sure to change all the paths in the code below. All commands must be run as root

NOTE: The jailing setup for OpenSSH ver6 is much cleaner and uses less hacks then version 4. If you need to jail users, make sure to update to version 6.
If you are looking for the tutorial for version 4, click here.

Another NOTE: This setup is meant for installing on a fresh server. If you already have configuration files for the programs we will be installing (zlib,openssl, and openssh), they will not be overwritten, but you will have to copy them from their old paths to the paths you install with here (recommended: /opt/...).

1

Let's install some things to make sure we're on the same page before continuing. yum install gcc wget unzip make perl xauth telnet When it asks you if you want to proceed reply with a "y". If you already have some of these, that's fine.

2

Install zlib cd /tmp mkdir -p /opt/zlib wget http://zlib.net/zlib128.zip unzip zlib128.zip cd zlib-1.2.8 ./configure --prefix=/opt/zlib make make install prefix=/opt/zlib

3

Now we install openssl into the opt directory as well cd /tmp mkdir -p /opt/openssl wget http://www.openssl.org/source/openssl-1.0.1j.tar.gz tar xvzf openssl-1.0.1j.tar.gz cd openssl-1.0.1j ./config --prefix=/opt/openssl --openssldir=/opt/openssl make make test make install The make commands here take forever to run. If the 'make test' command returns any errors, you will need to fix them before continuing.

4

Next we will download openssh cd /tmp mkdir -p /opt/openssh wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz tar xvzf openssh-6.6p1.tar.gz cd openssh-6.6p1

5

Now we will install openssh. To find where your xauth file is located you may need to run the "which xauth" command. If you know what you are doing you may add your own options to the configure command below. ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/bin/xauth --with-zlib=/opt/zlib make make install Some of these commands make take some time to run. Go grab a coke.
REMEMBER: This tutorial is meant for setting up a server for the first time. You may need to copy your sshd_config file (or at least the directives you want to keep) from /etc/ssh to save your old settings.

6

To automatically run the new ssh shell, we will use init. You need to change the following lines in /etc/init.d/sshd # Some functions to make the below more readable KEYGEN=/opt/openssh/bin/ssh-keygen SSHD=/opt/openssh/sbin/sshd RSA1_KEY=/opt/openssh/etc/ssh_host_key RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key Then we will restart ssh and test to see if it is running smoothly. /etc/init.d/sshd restart telnet localhost 22 The telnet command should return some lines looking like this: Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. SSH-2.0-OpenSSH_6.6 You need to be sure that the last line includes the "OpenSSH_6.6" to confirm that it is the version we just installed.
Press "Enter" to escape from the telnet command.

7

Next you need to edit '/opt/openssh/etc/sshd_config' to enable the jail.
Find this line: Subsystem sftp /opt/openssh/libexec/sftp-server and replace it with this line: Subsystem sftp internal-sftp Also add (at the bottom of the file) the following lines Match Group sftponly ChrootDirectory /home/jail/%u ForceCommand internal-sftp AllowTcpForwarding no Now, all users added to the 'sftponly' group will be jailed to their home directory.

8

We will need to create the 'sftponly' group so we can add our untrustworthly users to it. Also, we set up the environment to allow jailing. groupadd sftponly mkdir /home/jail chown root:root /home/jail chmod 755 /home/jail Now when you create users that need to be jailed, make sure they belong to the 'sftponly' group. For the user "mark", you will need to do the folling steps. useradd --home /home/jail/mark mark usermod -g sftponly mark usermod -s /bin/false mark passwd mark When asked, enter whatever you like as the password for mark. To set up Mark in the jail run the following commands chmod 755 /home/jail/mark chown root:root /home/jail/mark mkdir /home/jail/mark/public_html chown mark:sftponly /home/jail/mark/public_html You should follow these instructions each time you would like to add a jailed user.

9

Try to log in as mark through putty (or any ssh terminal). You should get some sort of error involving an abort or denied access.
Then try to log in as mark through winscp (or similar SFTP software).

10

Congrats! you now have a jailed user.

NOTICE

NOTICE: Yum will not update these programs anymore (zlib,openssl,openssh). When a new version comes out, you will have to make your own install from a tarball again. Just follow the same directions.

Package names updated as of 07/15/2014

Credits

• http://www.minstrel.org.uk
• http://www.pantz.org