Skip to content

Fusion Network

SFTP Setup for CentOS 4.5-5.x

Intro:

Sftp is very similar to FTP however it allows you to send information like your username and password over a secure encrypted connection unlike the very popular FTP setups you see around most of the net today. SFTP isn't actually a defined protocol, in fact its not a protocol at all. Its really a subsystem of openSSH which is why you will need to have openssh installed and already configured to get your setup working. Though, as required i can NOT take and responsibility for this setup, you should setup your system based on your trusted policies. If you break your system or it is compromised because of what you read and how you choose to setup your system you cant blame me! This information is provided as-is and with no guarantee.

 


Contents:

  • Install/Setup rssh

  • Setup a Chroot for the sftp user

  • Create our sftp user, force them to use RSSH

  • Time To Test

  • Sftp clients.

  • * = Assumed to be installed and configured already per your company policy.

  • What you need:

  • Openssh*

  • Openssh-server*

  • rssh

  • Root/Sudo Shell access*

  •  

Installing RSSH:

 

In this example we are using CentOS 5.0 You can install RSSH via yum.

yum install rssh

If you are using a redhat based system you can also use the attached RPM file (though if your using CentOS im sure the rssh in the repo is newer.) If you are using a debian base system you can try using the below command.

apt-get install rssh

If that doesn't work you can download and install rssh from source at this location. http://www.pizzashack.org/rssh/downloads.shtml

 If you want, and trust my files you can locate the RPM i use here: http://www.roguesaints.net/tutorials/sftp/rssh-2.3.2-1.i386.rpm

Now we need to setup rssh to our liking. In this case i have rssh setup so i can have several users with their own chroot in different places. This is nice because if you want to have a lot of people with 'ftp like' access to web dirs they will have access to only their base structure and cant get out to other users files or to the rest of your system.

 

Edit the /etc/rssh.conf file so that these options are not commented out.

allowsftp

umask = 022

user=username:011:00010:"/path/to/user/chroot" # Allow SFTP with chroot

user=username1:011:00010:"/path/to/user/chroot1" # Allow SFTP with chroot

user=username2:011:00010:"/path/to/user/chroot2" # Allow SFTP with chroot

(You only need to add in however many users you are setting up right now.)

 

Setup a Chroot for the sftp user:

Create a chroot using the mkchroot.sh (attached below) script like this. This should do most of the work for you, but you will have to copy some files over manually or your chroot might not work.

Script located here: http://www.roguesaints.net/tutorials/sftp/mkchroot.sh

sh mkchroot.sh /chroot/dir

Because of some problems with RSSH we need to create a null location in the chroot. This also has to be done manually, you can do this by running the below command.

mknod -m 666 /chroot/dir/dev/null c 1 3

These are the files that need to be copied over, you can find them using the 'locate' command but they should be in /lib/*

ld-linux.so.2 -> /chroot/lib

libnss_compat* -> /chroot/lib

You also may need to make a sym link from /usr/bin/rssh to /bin/rssh.

ln -s /usr/bin/rssh /bin/rssh

Create our sftp user, force them to use RSSH:

At this point we can add a user and force them to use the rssh shell. This can be done with the below line, make sure to replace what you need to with your own users information.

Create the user, set their home dir, set their shell:

adduser -m -d /their/home/dir/in/chroot -s /usr/bin/rssh username

Set a password.

passwd username

This will force the above user to have their home dir that you gave them. You could use this to lock a user into a web dir so they can upload/download/change files for their website but cant run shell commands. This way they also don't have to worry about their username/password being sniffed on the network.

**Note: If you are using the “AllowUsers” option in your ssh config file you will need to add your new user to the “AllowUsers” section of your ssh server then restart the server. If you aren't doing this they should now have sftp access to their chroot dir. Time to test!

 

Time to Test:

Use another box to try to connect via ssh.

ssh testuser@yourdomain.com

It will prompt for the users password. After entering it you will see some output similar to whats listed below.

Last login: Sun Jan 13 03:24:49 2008 from ***.***.***.***

This account is restricted by rssh.

Allowed commands: sftp

If you believe this is in error, please contact your system administrator.

Connection to yourdomain.com closed.

Looks good so far!

Try to log in via sftp...

sftp testuser@yourdomain.com

(prompts for password)

sftp>

You should now be dropped at a sftp prompt that looks something like the one above this line. This should mean that your good to go! Try to cd .. a few times then use the 'ls' command to make sure that your chroot is working and your user cant get out of their jail. If not, then your in luck and can move on to adding your next user or uploading files to your newly created SFTP.

 *BONUS*

(Taken from http://blade.lansmash.com/?p=104) 

Filesystem Tricks
When chroot is used symlinks that point outside the new root (the user’s home directory in this case) will not work. To get around this apparent limitation, it is possible on modern operating systems to mount directories at several locations in the filesystem.

To have an exact duplicate of the /var/ftp/incoming directory available in /home/bob/incoming and /home/dave/incoming, use one of these commands:

 mount –bind /var/ftp/incoming /home/bob/incoming

SFTP Clients:

Windows:

WinSCP: http://winscp.net/eng/index.php

CoreFTP: http://www.coreftp.com/

FileZilla: http://filezilla-project.org/

cURL: http://curl.haxx.se/

 

Linux:

Command line sftp

FileZilla: http://filezilla-project.org/

cURL: http://curl.haxx.se/

 

Mac OS x:

cURL: http://curl.haxx.se/

Cyberduck: http://cyberduck.ch/

Fugu: http://rsug.itd.umich.edu/software/fugu/

 

If you have anything you would like to add or im missing something please do post below. I am more than happy to rewrite sections of this tutorial if it gets out of date. Hope this helped you!