Oracle Linux - How to configure SFTP with chroot enabled
in Linux
APPLIES TO:
Linux OS – Version Oracle Linux 7.0 to Oracle Linux 9.0 [Release OL7 to OL9]
Linux x86_64 on Oracle Public Cloud
GOAL:
Uploading / Downloading files using an encrypted channel while users are chrooted.
NOTE: Users added to this will not be allowed to login using ssh. They will only be allowed to use SFTP
SOLUTION:
Follow below steps.
1) Add a new group for sftp users
2) Add users to the new group that will allow access
3) Configure SSH service to allow sftp connections and users to be chrooted
4) Restart SSH service
5) Test
[root@alejanarol7 ~]$ groupadd ftpusers [root@alejanarol7 ~]# usermod -a -G ftpusers oracle1 [root@alejanarol7 ~]# usermod -a -G ftpusers oracle2 [root@alejanarol7 ~]# cat /etc/ssh/sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # Subsystem sftp /usr/libexec/openssh/sftp-server ßThis line was commented out # Below block was added to configure SFTP with chroot Subsystem sftp internal-sftp Match Group ftpusers X11Forwarding no AllowTcpForwarding no ChrootDirectory /home ForceCommand internal-sftp [root@alejanarol7 ~]# systemctl restart sshd [root@alejanarol7 ~]# tail -f /var/log/secure Jul 4 21:43:50 alejanarol7 sshd[24379]: Postponed publickey for oracle2 from 209.17.43.241 port 12716 ssh2 [preauth] Jul 4 21:43:50 alejanarol7 sshd[24379]: Accepted publickey for oracle2 from 209.17.43.241 port
Tagged:
0