en🇬🇧 fr🇫🇷

Translation available:

fr Paramétrage SFTP sécurisé complet /


5 minutes read time

Secured SFTP setup

May 11, 2020
sftp linux securite

Objectives

  • Deliver secured resources access to a Linux server through SFTP.

  • SFTP accounts will only have access to allowed resource.

  • An administrator account will be able to manage user accounts.

Target User mode diagram

blockdiagblockdiag { default_shape = roundedbox; // Set labels to nodes. A1 [shape = actor,label = "USER1", numbered = 1]; B [label = "SSHD", numbered = 2]; C [label = "SSHD_CONFIG", numbered = 3]; D [label = "/data/sftp_group_1/USER1" , numbered = 4]; E [label = "UMASK 0007" , numbered = 5]; F [label = "Default Folder /upload under chroot", numbered = 6]; // Set labels to edges. (short text only) A1 -> B [label = "SFTP"]; B <- C [label = "read"]; B -> D [label = "chroot"]; B -> E [label = "set"]; B -> F [label = "move"]; group { label = "SSHD Match Group"; orientation = portrait D -> E -> F; } }USER11SSHD2SSHD_CONFIG3/data/sftp_group_1/USER14UMASK 00075Default Folder /upload under chroot6SFTPreadchrootsetmoveSSHD Match Group

Target Admin mode diagram

blockdiagblockdiag { default_shape = roundedbox; // Set labels to nodes. A1 [shape = actor,label = "USER1", numbered = 1]; A2 [shape = actor,label = "USER2", numbered = 1]; B [label = "SSHD", numbered = 2]; C [label = "SSHD_CONFIG", numbered = 3]; D [label = "/data/sftp_group_1/%u" , numbered = 4]; E [label = "UMASK 0007" , numbered = 5]; F [label = "Default Folder /upload under chroot", numbered = 6]; // Set labels to edges. (short text only) A1 -> B [label = "SFTP"]; A2 -> B [label = "SFTP"]; B <- C [label = "read"]; B -> D [label = "chroot"]; B -> E [label = "set"]; B -> F [label = "move"]; group { label = "SSHD Match Group"; orientation = portrait D -> E -> F; } }USER11USER21SSHD2SSHD_CONFIG3/data/sftp_group_1/%u4UMASK 00075Default Folder /upload under chroot6SFTPSFTPreadchrootsetmoveSSHD Match Group

Controls

SFTP activation in SSHD control

[root@server /]# cat /etc/ssh/sshd_config
....
# override default of no subsystems
Subsystem      sftp    /usr/libexec/openssh/sftp-server

Directory tree creation

mkdir -p /directory
chmod 700 /directory

Example:

[root@server /]# mkdir -p /data/sftp_group_1
[root@server /]# chmod 700 /data

SFTP user and group creation

groupadd sftp_group_1 // (1)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER1 // (2)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER2 // (3)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER3 // (4)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER4 // (5)

  1. User created group name ownership.

  2. -g : Ownership group for user USER1 / -d Profil path / -s connxion shell ⇒ none

  3. -g : Ownership group for user USER2 / -d Profil path / -s connxion shell ⇒ none

  4. -g : Ownership group for user USER3 / -d Profil path / -s connxion shell ⇒ none

  5. -g : Ownership group for user USER4 / -d Profil path / -s connxion shell ⇒ none

Created user password setup

passwd USER1
passwd USER2
passwd USER3
passwd USER4

SFTP user config file check-up

cat /etc/passwd
....
USER1:x:1002:1002::/:/sbin/nologin
USER2:x:1003:1002::/:/sbin/nologin
USER3:x:1004:1002::/:/sbin/nologin
USER4:x:1005:1002::/:/sbin/nologin

User defauklt directory tree creation

mkdir -p /data/sftp_group_1/USER2/upload // (1)
chown -R root:root /data/sftp_group_1/USER2 // (2)
chown -R USER2:sftp_users /data/sftp_group_1/USER2/upload // (3)
chmod 770 /data/sftp_group_1/USER2/upload // (4)

mkdir -p /data/sftp_group_1/USER1/upload // (1)
chown -R root:root /data/sftp_group_1/USER1 // (2)
chown -R USER1:sftp_users /data/sftp_group_1/USER1/upload // (3)
chmod 770 /data/sftp_group_1/USER1/upload // (4)

mkdir -p /data/sftp_group_1/USER3/upload // (1)
chown -R root:root /data/sftp_group_1/USER3 // (2)
chown -R USER3:sftp_users /data/sftp_group_1/USER3/upload // (3)
chmod 770 /data/sftp_group_1/USER3/upload // (4)

mkdir -p /data/sftp_group_1/USER4/upload // (1)
chown -R root:root /data/sftp_group_1/USER4 // (2)
chown -R USER4:sftp_users /data/sftp_group_1/USER4/upload // (3)
chmod 770 /data/sftp_group_1/USER4/upload // (4)

  1. User home directory creation, accessibilty R/W.

  2. Rights setup to root:root on chrooted user root folder.

  3. Rights setup to $COMPTE$:sftp_users on chrooted user folder.

  4. Affectation des droits au répertoire à l’utilisateur et au groupe d’appartenance dans lequel l’utilisateur associé à la société pourra lire et écrire.

SFTP Admin account setup

[root@server sftp]# useradd -g sftp_users -d / -s /sbin/nologin SFTP_ADM // (1)
[root@server sftp]# cat /etc/passwd
...
SFTP_ADM:x:1006:1002::/:/sbin/nologin

  1. -g : Groupe d’appartenance du compte SFTP_ADM / -d Chemin du profil / -s shell de connxion ⇒ aucun

SSHD setup

[root@server sftp]# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.sav
[root@server sftp]# vi /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server // (1)
## Add umask to U+G none to Others
Subsystem sftp internal-sftp -u 0007 // (2)
IgnoreRhosts yes
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
PubkeyAuthentication yes
#RSAAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

# A placer avant le test sur le groupe si le user appartient au groupe sftp_users
# SSHD lit la config dans l'ordre d apparition....
Match User SFTP_ADM // (3)
ChrootDirectory /data/sftp_group_1 // (4)
## Add umask to U+G none to Others
ForceCommand internal-sftp -u 0007 // (5)

Match Group sftp_users // (6)
ChrootDirectory /data/sftp/%u // (7)
## Add umask to U+G none to Others
ForceCommand internal-sftp -u 0007 -d /upload // (8)

  1. Désactivation server SFTP par défaut

  2. Activation serveur SFTP intégré à sshd

  3. Bloc concernant le compte SFTP_ADM

  4. Chroot du compte SFTP_ADM vers /data/sftp_group_1

  5. Obligation du SFTP uniquement et changement du UMASK vers 0007 (correspond Ă  770)

  6. Bloc concernant les membres du groupe sftp_users

  7. Chroot des membres du groupe sftp_users vers /data/sftp/%u (%u est une variable pour le nom d’utilisateur)

  8. Obligation du SFTP uniquement et changement du UMASK vers 0007 (correspond à 770) et déplacement automatique dans le répertoire upload

SSHD restart and controls

systemctl restart sshd
systemctl status sshd

Author:

Vincent Gourrierec