Introduction
Using SFTP from SSH daemon is, in my opinion, not really well-documented and thrown errors are not always very explicit.
Add some security in the mix and nothing works as expected.
This is a short guide (acting a bit as a memo I admit) for SSH + SFTP + Chroot + Public key authentication
The procedure
On “SFTP” server side
Firstly we will create a new unprivileged user, without any password :
adduser archiver \
-s /bin/bash \
--home /home/archiver \
--disabled-password
Now that is done, we may start our reception folder creation (still as root
) :
mkdir -p /home/archiver/chroot/folder
As clients will put their files into folder/
, the system user they will be using must have permissions on it :
chown archiver:archiver /home/archiver/chroot/folder
This is important, each one of the path elements leading to the chroot destination folder MUST HAVE
0755
UNIX permissions at most
You can enforce this statement with the following (commented lines should be already OK, but who knows ?) :
#chmod 0755 /
#chmod 0755 /home
#chmod 0755 /home/archiver
chmod 0755 /home/archiver/chroot
If you don’t,
ssh
won’t be able to chroot anywhere and your operations will crash with misguiding error in SSH logs.
Now we may tweak SSH configuration (/etc/ssh/sshd_config
) :
# ...
Match User archiver
X11Forwarding no
AllowTCPForwarding no
ChrootDirectory /home/archiver/chroot/
ForceCommand internal-sftp -P read,remove -d folder/
The -P
parameter allows us to restrain the operations that clients will be able to perform (black-list).
With read,remove
set, clients won’t be able to fetch nor remove any files already present (useful for a write-only backup folder).
Run /usr/lib/openssh/sftp-server -Q requests
to check which protocol requests you may provide.
I’ve tried to use the -p
that is on the contrary a protocol requests white-list, but couldn’t figure out why it didn’t work with the thrown errors…
Please note that those protocol requests HAVE NOTHING TO DO with the (S)FTP commands that could be sent (
put
,get
,cd
, etc.).
The -d
parameter will directly set clients into folder/
.
This is very useful for interactive FTP operations because it allows clients not to cd
somewhere and directly perform their actions.
Finally, we restart the sshd
daemon :
systemctl restart ssh.service
On “SFTP” client side
We will begin here by generating a new ED25519 keys pair :
cd
ssh-keygen -t ed25519
cat .ssh/id_ed25519.pub
# Copy here the displayed public key
Before continuing, you’ll have to paste the public key within
/home/archiver/.ssh/authorized_keys
file on your SFTP server.
Now, you should be allowed to perform your first SFTP operation () :
sftp -q archiver@YOUR.SFTP.SERVER.IP:/folder/ <<< $'put your_file_to_be_transfered.tar.gz'
The command issued in the snippet above IS AN EXAMPLE. Feel free to adapt it your way.