Setting Up vsftpd on CentOS with a Perfect CHROOT

SFTP servers are very popular and there are a multitude of guides to out there on how to set them up. I found however that typically with the basic configuration users will still be able to access parent directories  and see the files contained within due to the required permissions on a user’s home drive. For example, if you were to install vsftpd using the guide found here, you would be able to browse to the root:

2016-08-28 18_13_16-Users - 192.168.0.15 - WinSCP

The solution was to create a new directory structure with specific permissions that will emulate the structure of the home directory. To the end user it will look like they’re home directory but it will actually be in an alternate location. This is best used for a pure SFTP server where users will only ever connect using SFTP to upload and download files.

This will assume that the server has basic configuration with networking, and SSH is installed/enabled.

Setting Up the Server

The first thing to do is install the SFTP server itself

Once it’s installed we can configure vsftpd, so open up /etc/vsftpd/vsftpd.conf and and make sure the settings below are configured. If need be uncomment or add in the entries.

We’ll also need to configure which sftp server is used, so open up /etc/ssh/sshd_config and make the changes below.

To make these configuration changes take effect we’ll restart both services

Now we’ll create our directory structure which will contain our users’ chroot directories

Make sure that the vsftpd service starts at boot

You may also need to open up the firewall. For iptables use:

Or for firewalld

Creating Users

Now that the server is setup you can create users. To do so, first create the user and give it a password

Once you run passwd it will prompt for the password to give the user, enter something secure.

We’ll disallow the user from signing in, this will not allow them to actually access a shell, they will only be able to connect for SFTP. This is done by setting their shell to /sbin/nlogon. You can find more about how that works here: http://www.cyberciti.biz/tips/howto-linux-shell-restricting-access.html.

Create a directory for the user underneath /usr/sftp. This should be in the structure <username>/home/<username>. For example /usr/sftp/thomas/home/thomas.

The next thing to do is lock down access to the directory structure, this will make it so the user will not be able to see anything outside their “home” directory.

Now that the directory has been created and permissions assigned we’ll specify this as the chroot directory in the SSH configuration. Open up /etc/ssh/sshd_config and then at the bottom add in:

Lastly, restart SSH.

At this point you should be able to connect to your SFTP server and you’ll only be able to see your own directory!

2016-08-28 18_20_41-Users - 192.168.0.15 - WinSCP

Scripting It

Of course, a repetitive process like this could be improved by creating a script. This will make it easier to set up users and reduce the possibility of mistakes. Here’s the script:

This will allow you to enter as many users as you like and it will create a user for each. It will prompt you for a password for each user as it runs through the script.

Leave a Reply

Your email address will not be published. Required fields are marked *