You need to migrate windows based SFTP server to the RHEL platform to save cost and make it easy to manage.
To build a similar kind of environment as I have on windows, I need to create three types of user accounts, and as you know, chroot jailed means that the account is jailed and can’t get out of its home directory by ensuring no other users are affected. So this makes it a bit challenging.
Based on my requirement,
- Users should be restricted to their directories and not see OS directories, ensuring no other users are affected.
- Some users will have FULL access to other user’s home directories.
- Some users will have read-only access to some other user’s fully shared directories.
There will be other solutions to fix this problem, but I am doing the easiest way I can think of.
I am going to discuss three scenarios.
Scenario #1: Create three SFTP jailed Chroot accounts, but one account should access the files of the other two accounts’ home directory.
I have created a folder structure as shown in the below table. You can see user03 home directory is one level up from the other two accounts.
| Users | Home directories |
| User01 | /data/accounts/user01 |
| User02 | /data/accounts/user02 |
| accounts | /data/accounts |
create directories
mkdir -p /data/accounts/user01 ; mkdir -p /data/accounts/user02
Make the landing directories home directories.
create logins and directories, and you can also amend the /etc/passwd if you have created the user accounts and not added the home directories.
useradd -d /data/accounts/user01 -s /sbin/nologin user01 ; useradd -d /data/accounts/user02 -s /sbin/nologin user02
Make sure you have settled the password of your accounts
passwd <userName>
Add your account into the group named sftpusers
groupadd sftpusers usermod -aG sftpusers user01
Setup the appropriate permissions
chown user01:sftpusers /data/accounts/user01/internal ; chmod -R 755 /data/user01/internal chown user02:sftpusers /data/accounts/user01/internal ; chmod -R 755 /data/user02/internal
Edit the sshd_config file
Edit the /etc/ssh/sshd_config and add the following lines.
Configure /etc/ssh/sshd_config #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp # BEGIN SFTP-Server sftpusers block Match Group sftpusers ChrootDirectory %h AllowTcpForwarding no ForceCommand internal-sftp X11Forwarding no #End group sftpusers configuration
Restart the SSHD service
systemctl restart sshd
You have configured user01 and user02, and you can login and upload the files.
Let’s start with our third account named “accounts,” This account should have FULL access to the user01/user02 files.
Configure your third user accounts
useradd -d /data/accounts -s /sbin/nologin accounts ; mkdir -p /data/account/
make accounts member of group sftpusers
usermod -aG sftpusers accounts
Make sure you give good permissions to the home directories of user01/user02
chown user02:sftpusers /data/accounts/user01/internal ; chmod -R 775 /data/user02/internal
change the /etc/ssh/sshd_config to add the user accounts
# BEGIN SFTP-Server "accounts" block Match user accounts ChrootDirectory /data/accounts AllowTcpForwarding no ForceCommand internal-sftp X11Forwarding no #END SFTP-Server accounts block
Restart the SSHD service.
systemctl restart sshd
TESTING & Diagnostic Steps
you can test your login by doing: sftp user05@localhost
Check /var/log/secure for any errors with permissions and sftp.
sftp and/or scp may fail at connection time if you have shell initialization (.profile, .bashrc, .cshrc, etc) which produces output for non-interactive sessions. This output confuses the sftp/scp client. You can verify if your shell is doing this by executing this
ssh <yourhost> /usr/bin/trueScenario # 2 one folder is shared by multiple chroot jailed accounts
| Users | Home directories |
| User03 | /dpt/files |
| User04 | /dpt/files |
As shown above, both chroot jailed users have shared folders, so we will create the users and configure them.
mkdir -p /dpt/files useradd -d /dpt/files -s /sbin/nologin user03 useradd -d /dpt/files -s /sbin/nologin user04
create group grp-shared and add your accounts into the newly created group.
groupadd grp-shared usermod -aG grp-shared user03 ; usermod -aG grp-shared user04
To check that your users have the desired group.
groups user03
Make sure you give good permissions to the home directories of user01/user02
chgrp grp-shared /dpt/files/internal ; chmod -R 775 /dpt/files/internal
change the /etc/ssh/sshd_config to add your group grp-shared in the sshd configuration
#BEGIN SFTP-Server grp-shared block Match Group grp-shared ChrootDirectory /dpt/files AllowTcpForwarding no ForceCommand internal-sftp X11Forwarding no PermitTunnel no PasswordAuthentication yes #END SFTP-Server grp-shared block
Restart the SSHD service.
systemctl restart sshd
Scenario # 3 single folder is shared by multiple chroot jailed accounts, but one user has read-only access to that shared folder
| Users | Home directories |
| user03 | /dpt/files |
| user04 | /dpt/files |
| user05 | /dpt/files ( READ-ONLY ACCESS) |
Here I will show you the configurations for the third user, which has only READ-ONLY access because shared folder scenario I have discussed above.
useradd -s /sbin/nologin user05 passwd user05
You can have the default home directory to the users as /home/user05, but in the sshd_config file, you can chroot directory to the /dpt/files.
Match User user05 ChrootDirectory /dpt/files AllowTcpForwarding no ForceCommand internal-sftp X11Forwarding no PermitTunnel no PasswordAuthentication yes
Restart the SSHD service.
systemctl restart sshd
Disclaimer: All information posted is merely for educational and informational purposes. Should you decide to act upon any information on this article, you do so at your own risk.
