Configure sftp while limitting resources by using chroot

setting_sftp.md

create a sftp user

We execute as root user on an SFTP server as below. First, we create a specific user is able to utilize SFTP as file transfer. Then, we create a sftp group and put the sftp user under the group.

sftp-server$ sudo -s
sftp-server$ useradd sftp_user
sftp-server$ groupadd sftp
sftp-server$ useradd -g sftp sftp_user

generate key-pair

We create an SSH key-pair with a non-passphrase. Then, we send the secret key to SFTP client and register the public key to SFTP server.

sftp-server$ su - sftp_user
sftp-server$ ssh-keygen
# generate a non-passphrase keys
sftp-server$ scp /home/sftp_user/.ssh/id_rsa hoge@client:/tmp/
sftp-server$ cat /home/sftp_user/.ssh/id_rsa.pub /home/sftp_user/.ssh/authorized_keys
sftp-server$ chmod 600 /home/sftp_user/.ssh/authorized_keys

directory settings

We change the owner and permitions of SFTP user's home directory.

sftp-server$ sudo -s
sftp-server$ chmod 755 /home/sftp_user
sftp-server$ chown root:root /home/sftp_user
sftp-server$ mkdir /home/sftp_user/data
sftp-server$ chmod 755 /home/sftp_user/data
sftp-server$ chown sftp_user:sftp /home/sftp_user

configure sshd

sftp-server$ vim /etc/ssh/sshd_config

We edit sshd_config as below:

Subsystem       sftp    internal-sftp

Match User sftp_user
        X11Forwarding no
        AllowTcpForwarding no
        ChrootDirectory /home/sftp_user
        ForceCommand internal-sftp

sftp-server$ service sshd restart

access

client$ sftp -oIdentityFile=/tmp/id_rsa sftp_user@sftp-server
Connected to server.
sftp> pwd
Remote working directory: /
sftp> ls
data  

client$ ssh -i tmp/id_rsa sftp_user@sftp-server
This service allows sftp connections only.
Connection to server closed.```