You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

Oracle Linux - How to configure SFTP with chroot enabled

APPLIES TO:

Linux OS – Version Oracle Linux 7.0 to Oracle Linux 9.0 [Release OL7 to OL9]

Linux x86_64 on Oracle Public Cloud

 

GOAL:

Uploading / Downloading files using an encrypted channel while users are chrooted.

 

NOTE: Users added to this will not be allowed to login using ssh. They will only be allowed to use SFTP


SOLUTION:

Follow below steps.

1)     Add a new group for sftp users

2)     Add users to the new group that will allow access

3)     Configure SSH service to allow sftp connections and users to be chrooted

4)     Restart SSH service

5)     Test

 

[root@alejanarol7 ~]$ groupadd ftpusers
[root@alejanarol7 ~]# usermod -a -G ftpusers oracle1
[root@alejanarol7 ~]# usermod -a -G ftpusers oracle2
 [root@alejanarol7 ~]# cat /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
 
# Subsystem sftp       /usr/libexec/openssh/sftp-server  ßThis line was commented out
# Below block was added to configure SFTP with chroot
Subsystem sftp internal-sftp
Match Group ftpusers
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /home
 ForceCommand internal-sftp
 
[root@alejanarol7 ~]# systemctl restart sshd
 
[root@alejanarol7 ~]# tail -f /var/log/secure
Jul 4 21:43:50 alejanarol7 sshd[24379]: Postponed publickey for oracle2 from 209.17.43.241 port 12716 ssh2 [preauth]
Jul 4 21:43:50 alejanarol7 sshd[24379]: Accepted publickey for oracle2 from 209.17.43.241 port

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!