Friday, April 24, 2015

How to create chrooted SFTP server in EL5

I will try to show you how to install and setup sftp chroot in RHEL5. You can adopt this solution for higher RedHat Linux versions. The IT space isn't perfect. I will present different approach to provide SFTP server without active shell access. I chose EL5 for a reason. In EL6 and EL7 you have possibility to configure sftp-chroot inside ssh. In EL5 no possible to do that. Nothing more nothing less.

Let's present some details about sftp jail:
  • sftp will be running on separate port higher that 2048 my port is: 9987
  • there will be no dedicate IP for sftp, server will be listening on *:9987
  • chroot sftp will be stored in /sftp/chroot/1 (users, data, etc.)
  • there will be using jailkit tool. This is important to build proper structure dirs and binaries
  • separate RedHat start/stop/status script for sftp service 
  • 2 x sftp users assigned into jail (testuser1,testuser2)
Jailkit installation is out of scope this article. More details how to install jailkit you can find on below webpage:


I recommend to build RPM. You will have always possibility to uninstall jailkit software if you don't like it.

Now I will instruct you how to build proper directory structure:

for user in testuser1 testuser2;do useradd $user;echo "$user:test1234"| chpasswd;done
jk_init -v -j /sftp/chroot/1 sftp scp
Create directory /sftp/chroot/1/lib
Creating symlink /sftp/chroot/1/lib/libnss_dns.so.2 to libnss_dns-2.5.so
Copying /lib/libnss_dns-2.5.so to /sftp/chroot/1/lib/libnss_dns-2.5.so
Creating symlink /sftp/chroot/1/lib/libresolv.so.2 to libresolv-2.5.so
.
..
...
Creating device /sftp/chroot/1/dev/urandom
Creating device /sftp/chroot/1/dev/null
Create directory /sftp/chroot/1/usr/bin
Copying /usr/bin/scp to /sftp/chroot/1/usr/bin/scp
 
jk_init -v -j /sftp/chroot/1 jk_lsh/sftp/chroot/1/lib/libnsl.so.1 already exists, will not touch it
/sftp/chroot/1/lib64/libnsl.so.1 already exists, will not touch it
.
..
...
Copying /etc/jailkit/jk_lsh.ini to /sftp/chroot/1/etc/jailkit/jk_lsh.ini
writing user root to /sftp/chroot/1/etc/passwd
writing group root to /sftp/chroot/1/etc/group
jk_jailuser -m -j /sftp/chroot/1 testuser1
(no output it's ok)
jk_jailuser -m -j /sftp/chroot/1 testuser2
(no output it's ok)

Attention: We must create mentioned users before starting with jail dir creation!
 
Now time for verification:

cd /sftp/chroot/1pwd
/sftp/chroot/1
ls
dev  etc  home    lib  lib64  usr
cd etc
lsgroup  host.conf  hosts  jailkit  ld.so.cache  ld.so.conf  localtime  nsswitch.conf  passwd  protocols    resolv.conf  services cat passwd
cat passwdroot:x:0:0:root:/root:/bin/bash
testuser1:x:500:501::/home/testuser1:/usr/sbin/jk_lsh
testuser2:x:501:502::/home/testuser2:/usr/sbin/jk_lsh

It looks very good. We have users we have proper directory structure - sounds good.

We have been configured sftp-chroot service and make some tests. Let's play now.

+Create file "/etc/sysconfig/sftp-chroot" with following input:

OPTIONS="-f /etc/ssh/sftp-chroot_config"

+Copy /etc/ssh/sshd_config into /etc/ssh/sftp-chroot_config and change some parameters:

cp /etc/ssh/sshd_config /etc/ssh/sftp-chroot_config 
cat /etc/ssh/sftp-chroot_config

+Change port listening from 22 to 9987:

from:
#Port 22
to:
Port 9987

+Disable direct sftp access for root!

from:

PermitRootLogin yes 
to:
PermitRootLogin no

+Change pidfile for separate sftp proccess:

Uncomment PidFile and modify values:

from:
#PidFile /var/run/sshd.pid 
to:
PidFile /var/run/sftpchroot.pid

+Create program symbolic link for separate sftp service:

cd /usr/sbin
ln -s sshd sftp-chroot

Prepare start/stop/status script ()
cd /etc/init.d
cp sshd sftp-chroot 

You can find configuration files + script on the external link: SFTP-CHROOT

+PAM configuration:
cd /etc/pam.d
cp sshd sftp-chroot
 
You must take care about jk_lsh.ini config! This is most important for jail functionality:

cat /sftp/chroot/1/etc/jailkit/jk_lsh.ini
[testuser1]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server

[testuser2]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server

We have to check if our sftp service is running well. Let's to perform some sanity checks:

Service is not running:
service sftp-chroot statussftp-chroot is stopped

we must start it:
service sftp-chroot startStarting sftp-chroot:

checking status:
service sftp-chroot statussftp-chroot (pid  20238) is running...

netstat -na | grep [9]987 
tcp        0      0 0.0.0.0:9987                0.0.0.0:*                   LISTEN     
tcp        0      0 :::9987                         :::*                            LISTEN


ps -ef | grep [s]ftp-chroot
root     20238     1  0 12:20 ?        00:00:00 /usr/sbin/sftp-chroot -f /etc/ssh/sftp-chroot_config

All looks very good. Service is up and running processes wait for operation. We must be sure if we can connect to the sftp server also.

sftp -o "Port 9987" testuser1@
testuser1 password:
Connected to node01.
sftp> pwd
Remote working directory: /home/testuser1
sftp> ls
sftp> cd ..
sftp> ls
testuser1  testuser2 
sftp> cd ..
sftp> ls
dev    etc    home   lib    lib64  usr   
sftp> cd ..
sftp> ls
dev    etc    home   lib    lib64  usr 


Well we have our chrooted sftp.

To sum up you should pay special attention for location files and scripts in above chroot constellation. This is little bit tricky. You can tune your jail. How to do it you can find on jailkit home page. I hope that this article will be very useful for newbie Linux Administrators.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)