Thank you for supporting the Cloud Customer Connect Community in 2024. It's a gift to work with you!

Look back
You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

Oracle Linux - How to configure SFTP with chroot enabled

Applies:

Linux OS – Version Oracle Linux 7.0 to Oracle Linux 9.0 [Release OL7 to OL9]

Linux x86_64 on Oracle Public Cloud

Goal:

Uploading or downloading files using an encrypted channel while users are chrooted.

NOTE: Users added to this will not be allowed to login using ssh. They will only be allowed to use SFTP.

Solution:

Follow below steps:

  • Create a new group for sftp users.
  • Add users to this new group that will allow access.
  • Configure SSH service to allow sftp connections and users to be chrooted.
  • Restart SSH service.
  • Test.
[root@host ~]# groupadd ftpusers

[root@host ~]# usermod -a -G ftpusers oracle1
[root@host ~]# usermod -a -G ftpusers oracle2

[root@host ~]# cat /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# Subsystem sftp        /usr/libexec/openssh/sftp-server   <<-- This line was commented out
# Below block was added to configure SFTP with chroot
Subsystem sftp internal-sftp
Match Group ftpusers
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /home
 ForceCommand internal-sftp

[root@host ~]# systemctl restart sshd

[root@host ~]# tail -f /var/log/secure
Jul  4 21:43:50 host sshd[24379]: Postponed publickey for oracle2 from 209.17.xx.**** port 12716 ssh2 [preauth]
Jul  4 21:43:50 host

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!