We have a requirement to allow a customer to submit files securely to us via SFTP using Public-Key authentication, so.....
In this example I have given the Ubuntu server a hostname
of testsftp and an IP address of 192.168.10.10/24. It is a standard install with the openssh-server
package selected when prompted during setup. You can also run sudo apt-get install openssh-server when the
server is up and running.
Make a copy of any files you are going to change and
change the permissions on the copied file to read only.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original
View the
/etc/ssh/sshd_config file and ensure the line shown below is present and
has not been commented out.
PubkeyAuthentication yes
Create new local user that will use the SFTP service
sudo useradd -d /home/testuser -m testuser
sudo passwd testuser <password>
Generate the Public/Private key to be used with the user
account. In my case I used the built in features within SecureCRT to generate
an the Key Pair. The Unix utility ‘SSH-Keygen’ can also be used to generate the
key pair. We will call the public key ‘public.pub’
and the private key ‘private’
Always ensure
that the private key is protected with a very strong password.
ssh-keygen -b 1024 -t rsa
Next we need to copy the public key to the host
scp public.pub testuser@192.168.10.10:
password: ***********
Now we need to log in to the remote host as the ‘testuser’
ssh testuser@192.168.10.10
password: ***********
Once we are connected to the host server we need to create
some directories (if they don’t currently exist), set the appropriate
permissions and add the newly created
public key to the authorised keys for the testuser.
testsftp$ mkdir -p ~/.ssh
testsftp$ chmod 700 ~/.ssh
testsftp$ cat public.pub >> ~/.ssh/authorized_keys # Add public key to authorised key
testsftp$ chmod 600 ~/.ssh/authorized_keys
testsftp$ mv public.pub ~/.ssh #Move
public key to the .ssh folder
Now if you log back out and back in again using the same
command as before you will be asked to enter the passphrase for the private key
instead of your user password. Ensure your private key is in the correct
location for whatever client you are using, with SecureCRT this is done through
the ‘Manage Agent Keys’ tool.
Enter passphrase for key '/home/testuser/.ssh/private': *************
So now we have a local user who is able to authenticate
against the testsftp server using a public private key pair. What we now want
to do is restrict what this user can do to just sftp commands with their own
directory and nothing else.
Modify /etc/ssh/sshd_config to include the line
Subsystem sftp
internal-sftp
At the end of the sshd_config file add the following
content. This ensures any user who is a member of the sftponly group will not
be able to leave their home directory and will be restricted to running the
SFTP process.
Match Group sftponly
ChrootDirectory %h
ForceCommand
internal-sftp
AllowTcpForwarding no
Create the new user group and add testuser to that group
groupadd sftponly
usermod –g sftponly testuser
Deny the user Shell access
usermod –s /bin/false testuser
We now need to verify folder permissions. The users home
directory must be owned by root as does the /home/ folder.
chown root:root /home/testuser/
Now when the user ‘testuser’ logs in using and SFTP client
they will only be able to browse their home directories. Ensure that the
‘testuser’ account has valid permissions for the operations they need to
perform when connected i.e. if they need to upload a file then they will need
write permissions somewhere in their home directory.
Attempt to make a direct SSH connection to the host and you
will see that the connection is refused.
References (thanks):
No comments:
Post a Comment