Secure FTP Server in Chroot Jail Environment

Only available on StudyMode
  • Topic: File Transfer Protocol, SSH file transfer protocol, FTPS
  • Pages : 2 (280 words )
  • Download(s) : 721
  • Published : December 5, 2010
Open Document
Text Preview
SFTP IN CHROOT

Often SFTP is confused with FTPS

Well, they are different
SFTP - Part of SSH server
FTPS - Secure implementation of FTP server
(yes, both use SSL encryption on the transport)

WHAT IS JAILROOT/CHROOT?

Evey process in *NIX systems has Process Context. This context contains the "absolute path" of the command that lead to creation of the process.

e.g.

$ ls

The Process Context shall contain "/bin/ls".

It must be noticed that process has visibility till "/". The hacker may somhow access all directories below "/" as they are in visibility. This is insecure.

We decrease the visibility of process by creating altogether a separate directory called CHROOT or JAILROOT.

For eg. if /dir1/dir2/chroot-dir is the JAILROOT directory in our configuration then the process run from login within this directory shall have no knowledge of anything above "/dir1/dir2/chroot-dir/". For this process /dir1/dir2/chroot-dir/ is their "/" in the process context.

CREATE USER WHO WILL BE ALLOWED TO LOGIN THROUGH SFTP

sage ~]# useradd sftp-user

Make sftp-server as login shell for that user.

sage ~]# usermod -s /bin/false sftp-user

CREATE JAILROOT DIRECTORY

sage ~]# mkdir /chroot-dir && chown root.sftp-user /chroot-dir && chmod 750 /chroot-dir

MODIFY SSH SERVER CONFIGURATION TO ENABLE SFTP IN CHROOT

sage ~]# vi /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
ChrootDirectory /chroot-dir

ADD /usr/libexec/openssh/sftp-server AS A VALID LOGIN SHELL

sage ~]# echo '/usr/libexec/openssh/sftp-server' >> /etc/shells sage ~]# /etc/init.d/sshd restart

TEST SFTP

bash~$ sftp sftp-user@hostname.domain
Connecting to hostname.domain...
sftp-user@hostname.domain's password:
sftp> ls
sftp> quit
tracking img