SFTP Jail
From QwikITedia
Contents |
Introduction
Create a Secure FTP server for your company or your own needs upon Ubuntu. Each group you want to exchange data with expects to have their own individual space (termed; an SFTP Jail) upon the SFTP server such that they alone can see it and they cannot see any other spaces(jails) you might have created for other business partners.
Assumptions
- You are running Ubuntu Server
NOTE Before you begin
- You'll be creating a brand new jail area upon the SFTP server for the new company.
cd /
- Naming convention for the jail = COMPANY_NAME-jail
- In the following docs, "richard" is the user that is created inside each jail you might create and /jail is equivalent to COMPANY_NAME-jail
SFTP Server Installation
Install the openssh-server
- apt-get install openssh-server
Settings are stored in
- /etc/ssh, and
- /etc/ssh/sshd_config
Jailkit Installation
Get latest Jailkit release, courtesy of Olivier
# cd /tmp # wget http://olivier.sessink.nl/jailkit/jailkit-2.x.tar.gz
After downloading Jailkit, compile and install it:
# tar -zxvf jailkit-2.x.tar.gz # mkdir /ACME-jail # cd /ACME-jail # cp -Rf /tmp/jailkit-2.x/* . # ./configure # make # make install
Setting The "Jail" Up
After you've installed it, it's time to set up the "root" directory (the directory to which the users will be jailed to).
# sudo chown root:root /ACME-jail
Creating the Proper Environment
The following lines will allow the logged in user to use whichever set of programs you want to allow:
# sudo jk_init -v /ACME-jail basicshell # sudo jk_init -v /ACME-jail editors # sudo jk_init -v /ACME-jail extendedshell # sudo jk_init -v /ACME-jail scp # sudo jk_init -v /ACME-jail ssh # sudo jk_init -v /ACME-jail sftp
Add the jailer shell script to the jail
Place the "jk_lsh" script inside the jail so that you can jail user in next step</p>
sudo jk_init -v /ACME-jail jk_lsh
Creating and Jailing the User
$ sudo useradd -d /home/richard -m richard $ sudo jk_jailuser -m -j /ACME-jail richard
- Don't forget to set the password while you're at it:
sudo passwd richard
- If the above jailing action does not work for you, add the necessary manually;
- In /etc/passwd the user entry for user 'richard' should look like:
richard:x:1001:1001::/ACME-jail/./home/richard:/usr/sbin/j k_chrootsh
Setting Up the Home Directory
From the users perspective, logging in to this secured environment "/ACME-jail" will just show up as the "/" directory, so setting up a home directory is also needed:
$ sudo mkdir -p /ACME-jail/home/richard $ sudo chown richard:richard /ACME-jail/home/richard
Passwords
edit the /ACME-jail/etc/passwd and /ACME-jail/etc/group files with and add these lines
(Note: The numbers mentioned are the user and groups id, which you can check by opening the /etc/passwd file and look for the appropriate user):
- sudo vi /ACME-jail/etc/passwd
paste and save this:
- richard:x:1001:1001::/home/richard:/bin/bash
- sudo vi /ACME-jail/etc/group
paste and save this:
- richard:x:1001:
Profiles and Ownership
- sudo cp /home/resmonde/.bashrc /ACME-jail/home/richard
- sudo vi /ACME-jail/home/richard/.bashrc .. ( to tweak your settings .. such as aliases for the new jailed user )
- sudo chown richard:richard /ACME-jail/home/richard/.bashrc
Check the configuration by "sftp'ing" your machine:
- sftp richard@localhost
sftp>quit
If anything's gone wrong /var/log/auth.log will give you the needed details: tail /var/log/auth.log
Test & Check the logs
- sftp username@localhost .. enter password
- tail /var/log/daemon.log /var/log/auth.log
