Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to configure SFTP service for Chroot environment in Debian 10

2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to configure the SFTP service of the Chroot environment in Debian 10, which has a certain reference value. Interested friends can refer to it. I hope you can learn a lot after reading this article.

SFTP, which means "secure File transfer Protocol Secure File Transfer Protocol" or "SSH File transfer Protocol SSH File Transfer Protocol", is the most commonly used method for securely transferring files from the local system to a remote server through ssh, and vice versa. The main advantage of sftp is that we don't need to install any additional packages other than openssh-server, and the openssh-server package is part of the default installation in most Linux distributions. Another benefit of sftp is that we can allow users to use sftp instead of ssh.

The currently released Debian 10 is codenamed 'Buster',. In this article, we will demonstrate how to configure sftp in a "prison" Chroot environment in a Debian 10 system. In this case, the Chroot prison environment means that users cannot go beyond their home directories, or users cannot change directories from their home directories. Details of the following experiments:

OS = Debian 10

IP address = 192.168.56.151

Let's jump to the SFTP configuration step

Step 1. Create a group for sftp using the groupadd command

Open the terminal and create a sftp_users group called sftp_users using the following groupadd command:

Root@linuxtechi:~# groupadd sftp_users step 2, add users to the group sftp_users and set permissions

Suppose you want to create a new user and want to add that user to the sftp_users group, run the following command

Syntax:

# useradd-m-G sftp_users

Let's assume that the user name is jonathan:

Root@linuxtechi:~# useradd-m-G sftp_users jonathan

Use the following chpasswd command to set the password:

Root@linuxtechi:~# echo "jonathan:" | chpasswd

Suppose you want to add an existing user to the sftp_users group, run the following usermod command, and let's assume that the existing user name is chris:

Root@linuxtechi:~# usermod-G sftp_users chris

Now set the permissions required by the user:

Root@linuxtechi:~# chown root / home/jonathan / home/chris/

Create an upload directory in each user's home directory and set the correct ownership:

Root@linuxtechi:~# mkdir / home/jonathan/uploadroot@linuxtechi:~# mkdir / home/chris/uploadroot@linuxtechi:~# chown jonathan/ home/jonathan/uploadroot@linuxtechi:~# chown chris/ home/chris/upload

Note: users like Jonathan and Chris can upload files and directories from their local system.

Step 3. Edit the sftp configuration file / etc/ssh/sshd_config

As we have already stated, the sftp operation is done through ssh, so its configuration file is / etc/ssh/sshd_config. Before making any changes, I recommend backing up the file, then editing the file, and then adding the following:

Root@linuxtechi:~# cp / etc/ssh/sshd_config / etc/ssh/sshd_config-orgroot@linuxtechi:~# vim / etc/ssh/sshd_config.#Subsystem sftp / usr/lib/openssh/sftp-serverSubsystem sftp internal-sftp Match Group sftp_users X11Forwarding no AllowTcpForwarding no ChrootDirectory% h ForceCommand internal-sftp.

Save and exit the file.

For the above changes to take effect, restart the ssh service using the following systemctl command:

Root@linuxtechi:~# systemctl restart sshd

In the above sshd_config file, we have commented out the line that begins with Subsystem and added a new entry Subsystem sftp internal-sftp and a new line. And

Match Group sftp_users-> it means that if the user is a member of the sftp_users group, the rules mentioned below will be applied to this entry.

ChrootDierctory% h-> it means that users can only change directories in their own home directories, not beyond their respective home directories. Or in other words, we can say that users are not allowed to change directories. They will get a prison-like environment in their directory and will not be able to access other users' directories and system directories.

ForceCommand internal-sftp-> it means that users are only restricted to the sftp command.

Step 4. Test and verify sftp

Log in to any other Linux system on the same network as your sftp server and try the ssh and sftp services through the users we put into the sftp_users group.

[root@linuxtechi ~] # ssh root@linuxtechiroot@linuxtechi's password:Write failed: Broken pipe [root@linuxtechi ~] # ssh root@linuxtechiroot@linuxtechi's password:Write failed: Broken pipe [root@linuxtechi ~] #

The above actions confirm that the user does not allow ssh. Now try sftp using the following command:

[root@linuxtechi] # sftp root@linuxtechiroot@linuxtechi's password:Connected to 192.168.56.151.sftp > ls-ldrwxr-xr-x 2 root 1001 4096 Sep 14 07:52 debian10-pkgs-rw-r--r-- 1 root 1001 155 Sep 14 07:52 devops-actions.txtdrwxr-xr-x 2 1001 1002 4096 Sep 14 08:29 upload

Let's use sftp's get command to try to download a file:

Sftp > get devops-actions.txtFetching / devops-actions.txt to devops-actions.txt/devops-actions.txt 100,155 0.2KB/s 00:00sftp > sftp > cd / etcCouldn't stat remote file: No such file or directorysftp > cd / rootCouldn't stat remote file: No such file or directorysftp >

The above output confirms that we can download files from our sftp server to the local machine, in addition, we must also test that the user cannot change the directory.

Let's try uploading a file in the upload directory:

Sftp > cd upload/sftp > put metricbeat-7.3.1-amd64.debUploading metricbeat-7.3.1-amd64.deb to / upload/metricbeat-7.3.1-amd64.debmetricbeat-7.3.1-amd64.deb 100% 38MB 38.4MB/s 00:01sftp > ls-1 muri rwmuri-1 1001 1002 40275654 Sep 14 09:18 metricbeat-7.3.1-amd64.debsftp >

This confirms that we have successfully uploaded a file from our local system to the sftp service.

Now use the winscp tool to test the sftp service, entering the sftp server IP address and the user's credentials:

Click on Login, and then try to download and upload the file:

Now, try uploading the file in the upload folder:

Thank you for reading this article carefully. I hope the article "how to configure SFTP Services in Chroot Environment in Debian 10" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report