SFTP access without hassle

1

I'm trying to provide access to a local folder for someone over the internet. After googling around a bit, I've come to the conclusion that SFTP is the safest thing to expose through the firewall to the chaotic and evil world of the Internet. I'm planning to use the openssh-server to this end. Even though I trust that openssh will stop a random attacker, I'm not so sure about the security of my computer once someone is connected through ssh.

In particular, even if I don't give that person's user account any privileges whatsoever, he might just be able to "su" to, say, "nobody". And since I was never worried about such things before, I might have given some moderate privileges to nobody at some point (not sudo rights surely!).

I would of course value your comments about giving privileges to nobody in the first place, but that's not the point, really. My aim is to give SFTP access to someone in such a sandboxed state that I shouldn't need to worry about such things (at least not more so than I should have done before).

Is this really possible? Am I speaking nonsense or worried in vain?

enobayram

Posted 2013-06-25T15:46:16.823

Reputation: 121

1Think what you are looking for is to chroot the user and change their default shell (as opposed to /bin/bash) so that they can't execute any commands other than SFTP? – James – 2013-06-25T15:49:23.663

@James changing their default shell is a neat idea, can you recommend a shell which I can count that it will support nothing but SFTP commands? – enobayram – 2013-06-25T15:57:50.727

Answers

2

You probably want to harden the server slightly (look into fail2ban and changing the port from 22 as a good start) but, assuming I have read your question correctly, you are looking to chroot a SFTP user and limit them to only be able to use SFTP (as opposed to executing any other commands)

I've implemented this on one of my servers with the following script:

echo 'CREATING USER' $1

echo 'adding user ..'
sudo useradd -d /home/$1 -s /usr/lib/sftp-server -M -N -g sftponly $1
echo '..done'

echo '--------------'
echo 'set a password'
sudo passwd $1

echo 'creating dir structure ..'
sudo mkdir -p /home/$1/uploads /home/$1/.ssh
sudo chown $1:sftponly /home/$1/uploads /home/$1/.ssh
#
cd /home/$1
echo 'adding shares ..'
sudo mkdir -p {ebooks,misc,movies,music,tv}
echo 'ebooks' && sudo mount --rbind /home/media/ebooks /home/$1/ebooks -o ro
echo 'misc' && sudo mount --rbind /home/media/misc /home/$1/misc -o ro
echo 'movies' && sudo mount --rbind /home/media/movies /home/$1/movies -o ro
echo 'music' && sudo mount --rbind /home/media/music /home/$1/music -o ro
echo 'tv' && sudo mount --rbind /home/media/tv /home/$1/tv -o ro
#
echo '..done'

What it does:

  1. Creates the user, adds them to the group 'sftponly' and changes their shell
  2. Creates a directory structure for that user to chroot them into
  3. Uses mount + rbind to mount an existing file tree into the new users equivalent folder (read only)

In advance of using, you will need to prep the system by performing the following:

Add a group

sudo addgroup sftponly

Modify sshd_config

/etc/ssh/sshd_config file and add the following:

Match group sftponly
    ChrootDirectory %h
    X11Forwarding no
    ForceCommand internal-sftp
    AllowTcpForwarding no

In the same file, find the line that reads something like Subsystem sftp /usr/lib/openssh/sftp-server and change to Subsystem sftp internal-sftp

Edit available shells

sudo nano /etc/shells

add the following at the bottom:

/usr/lib/sftp-server

James

Posted 2013-06-25T15:46:16.823

Reputation: 1 185

Think that's it from memory. Let me know if doesn't work. I got the original idea from http://solderintheveins.co.uk/2011/03/ubuntu-sftp-only-account-how-to a while ago but wanted to automate the process slightly and also allow recursive directory traversal by the user (which wasn't covered there but implemented above with --rbind)

– James – 2013-06-25T16:05:59.530

Wow, comprehensive answer, thank you very much. I'll accept your answer as soon as (which is hopefully soon) I apply it and see it working. – enobayram – 2013-06-25T20:55:16.157

Thank you for your valuable answer, I've tried your instructions and they've worked for me. – enobayram – 2013-06-29T05:30:44.607

Asked: 2013-06-25T15:46:16.823

Viewed: 331 times

Active: 2013-06-25T16:03:54.257