SFTP Setup for CentOS 4.5-5.x
SFTP Setup for CentOS 4.5-5.x
Intro:
Sftp is very similar to FTP however it allows you to send information like your username and password over a secure encrypted connection unlike the very popular FTP setups you see around most of the net today. SFTP isn't actually a defined protocol, in fact its not a protocol at all. Its really a subsystem of openSSH which is why you will need to have openssh installed and already configured to get your setup working. Though, as required i can NOT take and responsibility for this setup, you should setup your system based on your trusted policies. If you break your system or it is compromised because of what you read and how you choose to setup your system you cant blame me! This information is provided as-is and with no guarantee.
Contents:
Install/Setup rssh
Setup a Chroot for the sftp user
Create our sftp user, force them to use RSSH
Time To Test
Sftp clients.
* = Assumed to be installed and configured already per your company policy.
What you need:
Openssh*
Openssh-server*
rssh
Root/Sudo Shell access*
Installing RSSH:
In this example we are using CentOS 5.0 You can install RSSH via yum.
yum install rssh
If you are using a redhat based system you can also use the attached RPM file (though if your using CentOS im sure the rssh in the repo is newer.) If you are using a debian base system you can try using the below command.
apt-get install rssh
If that doesn't work you can download and install rssh from source at this location. http://www.pizzashack.org/rssh/downloads.shtml
If you want, and trust my files you can locate the RPM i use here: http://www.roguesaints.net/tutorials/sftp/rssh-2.3.2-1.i386.rpm
Now we need to setup rssh to our liking. In this case i have rssh setup so i can have several users with their own chroot in different places. This is nice because if you want to have a lot of people with 'ftp like' access to web dirs they will have access to only their base structure and cant get out to other users files or to the rest of your system.
Edit the /etc/rssh.conf file so that these options are not commented out.
allowsftp
umask = 022
user=username:011:00010:"/path/to/user/chroot" # Allow SFTP with chroot
user=username1:011:00010:"/path/to/user/chroot1" # Allow SFTP with chroot
user=username2:011:00010:"/path/to/user/chroot2" # Allow SFTP with chroot
(You only need to add in however many users you are setting up right now.)
Setup a Chroot for the sftp user:
Create a chroot using the mkchroot.sh (attached below) script like this. This should do most of the work for you, but you will have to copy some files over manually or your chroot might not work.
Script located here: http://www.roguesaints.net/tutorials/sftp/mkchroot.sh
sh mkchroot.sh /chroot/dir
Because of some problems with RSSH we need to create a null location in the chroot. This also has to be done manually, you can do this by running the below command.
mknod -m 666 /chroot/dir/dev/null c 1 3
These are the files that need to be copied over, you can find them using the 'locate' command but they should be in /lib/*
ld-linux.so.2 -> /chroot/lib
libnss_compat* -> /chroot/lib
You also may need to make a sym link from /usr/bin/rssh to /bin/rssh.
ln -s /usr/bin/rssh /bin/rssh
Create our sftp user, force them to use RSSH:
At this point we can add a user and force them to use the rssh shell. This can be done with the below line, make sure to replace what you need to with your own users information.
Create the user, set their home dir, set their shell:
adduser -m -d /their/home/dir/in/chroot -s /usr/bin/rssh username
Set a password.
passwd username
This will force the above user to have their home dir that you gave them. You could use this to lock a user into a web dir so they can upload/download/change files for their website but cant run shell commands. This way they also don't have to worry about their username/password being sniffed on the network.
**Note: If you are using the “AllowUsers” option in your ssh config file you will need to add your new user to the “AllowUsers” section of your ssh server then restart the server. If you aren't doing this they should now have sftp access to their chroot dir. Time to test!
Time to Test:
Use another box to try to connect via ssh.
It will prompt for the users password. After entering it you will see some output similar to whats listed below.
Last login: Sun Jan 13 03:24:49 2008 from ***.***.***.***
This account is restricted by rssh.
Allowed commands: sftp
If you believe this is in error, please contact your system administrator.
Connection to yourdomain.com closed.
Looks good so far!
Try to log in via sftp...
(prompts for password)
sftp>
You should now be dropped at a sftp prompt that looks something like the one above this line. This should mean that your good to go! Try to cd .. a few times then use the 'ls' command to make sure that your chroot is working and your user cant get out of their jail. If not, then your in luck and can move on to adding your next user or uploading files to your newly created SFTP.
*BONUS*
(Taken from http://blade.lansmash.com/?p=104)
Filesystem Tricks
When chroot is used symlinks that point outside the new root (the user’s home directory in this case) will not work. To get around this apparent limitation, it is possible on modern operating systems to mount directories at several locations in the filesystem.
To have an exact duplicate of the /var/ftp/incoming directory available in /home/bob/incoming and /home/dave/incoming, use one of these commands:
mount –bind /var/ftp/incoming /home/bob/incoming
SFTP Clients:
Windows:
WinSCP: http://winscp.net/eng/index.php
CoreFTP: http://www.coreftp.com/
FileZilla: http://filezilla-project.org/
cURL: http://curl.haxx.se/
Linux:
Command line sftp
FileZilla: http://filezilla-project.org/
cURL: http://curl.haxx.se/
Mac OS x:
cURL: http://curl.haxx.se/
Cyberduck: http://cyberduck.ch/
Fugu: http://rsug.itd.umich.edu/software/fugu/
If you have anything you would like to add or im missing something please do post below. I am more than happy to rewrite sections of this tutorial if it gets out of date. Hope this helped you!