Oracle Linux - How to configure SFTP with chroot enabled
in Linux
Applies:
Linux OS – Version Oracle Linux 7.0 to Oracle Linux 9.0 [Release OL7 to OL9]
Linux x86_64 on Oracle Public Cloud
Goal:
Uploading or downloading files using an encrypted channel while users are chrooted.
NOTE: Users added to this will not be allowed to login using ssh. They will only be allowed to use SFTP.
Solution:
Follow below steps:
- Create a new group for sftp users.
- Add users to this new group that will allow access.
- Configure SSH service to allow sftp connections and users to be chrooted.
- Restart SSH service.
- Test.
[root@host ~]# groupadd ftpusers [root@host ~]# usermod -a -G ftpusers oracle1 [root@host ~]# usermod -a -G ftpusers oracle2 [root@host ~]# cat /etc/ssh/sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # Subsystem sftp /usr/libexec/openssh/sftp-server <<-- This line was commented out # Below block was added to configure SFTP with chroot Subsystem sftp internal-sftp Match Group ftpusers X11Forwarding no AllowTcpForwarding no ChrootDirectory /home ForceCommand internal-sftp [root@host ~]# systemctl restart sshd [root@host ~]# tail -f /var/log/secure Jul 4 21:43:50 host sshd[24379]: Postponed publickey for oracle2 from 209.17.xx.**** port 12716 ssh2 [preauth] Jul 4 21:43:50 host
Tagged:
0