en🇬🇧 fr🇫🇷

Translation available:

fr Paramétrage SFTP sécurisé complet /

Informations sur la page:

Cet article contient 916 mots.
5 minutes read time

Secured SFTP setup

May 11, 2020
sftp linux securite

Objectives

  • Deliver secured resources access to a Linux server through SFTP.

  • SFTP accounts will only have access to allowed resource.

  • An administrator account will be able to manage user accounts.

Target User mode diagram

Failed to generate image: blockdiag failed: ERROR: 'ImageDraw' object has no attribute 'textsize'

blockdiag {
  default_shape = roundedbox;

   // Set labels to nodes.
   A1 [shape = actor,label = "USER1", numbered = 1];
   B [label = "SSHD", numbered = 2];
   C [label = "SSHD_CONFIG", numbered = 3];
   D [label = "/data/sftp_group_1/USER1" , numbered = 4];
   E [label = "UMASK 0007" , numbered = 5];
   F [label = "Default Folder /upload under chroot", numbered = 6];

   // Set labels to edges. (short text only)
   A1 -> B [label = "SFTP"];
   B <- C [label = "read"];
   B -> D [label = "chroot"];
   B -> E [label = "set"];
   B -> F [label = "move"];
   group {
     label = "SSHD Match Group";
     orientation = portrait
     D -> E -> F;
    }
}

Target Admin mode diagram

Failed to generate image: blockdiag failed: ERROR: 'ImageDraw' object has no attribute 'textsize'

blockdiag {
  default_shape = roundedbox;

   // Set labels to nodes.
   A1 [shape = actor,label = "USER1", numbered = 1];
   A2 [shape = actor,label = "USER2", numbered = 1];
   B [label = "SSHD", numbered = 2];
   C [label = "SSHD_CONFIG", numbered = 3];
   D [label = "/data/sftp_group_1/%u" , numbered = 4];
   E [label = "UMASK 0007" , numbered = 5];
   F [label = "Default Folder /upload under chroot", numbered = 6];

   // Set labels to edges. (short text only)
   A1 -> B [label = "SFTP"];
   A2 -> B [label = "SFTP"];
   B <- C [label = "read"];
   B -> D [label = "chroot"];
   B -> E [label = "set"];
   B -> F [label = "move"];
   group {
     label = "SSHD Match Group";
     orientation = portrait
     D -> E -> F;
    }
}

Controls

SFTP activation in SSHD control

[root@server /]# cat /etc/ssh/sshd_config
....
# override default of no subsystems
Subsystem      sftp    /usr/libexec/openssh/sftp-server

Directory tree creation

mkdir -p /directory
chmod 700 /directory

Example:

[root@server /]# mkdir -p /data/sftp_group_1
[root@server /]# chmod 700 /data

SFTP user and group creation

groupadd sftp_group_1 // (1)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER1 // (2)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER2 // (3)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER3 // (4)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER4 // (5)
  1. User created group name ownership.

  2. -g : Ownership group for user USER1 / -d Profil path / -s connxion shell ⇒ none

  3. -g : Ownership group for user USER2 / -d Profil path / -s connxion shell ⇒ none

  4. -g : Ownership group for user USER3 / -d Profil path / -s connxion shell ⇒ none

  5. -g : Ownership group for user USER4 / -d Profil path / -s connxion shell ⇒ none

Created user password setup

passwd USER1
passwd USER2
passwd USER3
passwd USER4

SFTP user config file check-up

cat /etc/passwd
....
USER1:x:1002:1002::/:/sbin/nologin
USER2:x:1003:1002::/:/sbin/nologin
USER3:x:1004:1002::/:/sbin/nologin
USER4:x:1005:1002::/:/sbin/nologin

User defauklt directory tree creation

mkdir -p /data/sftp_group_1/USER2/upload // (1)
chown -R root:root /data/sftp_group_1/USER2 // (2)
chown -R USER2:sftp_users /data/sftp_group_1/USER2/upload // (3)
chmod 770 /data/sftp_group_1/USER2/upload // (4)

mkdir -p /data/sftp_group_1/USER1/upload // (1)
chown -R root:root /data/sftp_group_1/USER1 // (2)
chown -R USER1:sftp_users /data/sftp_group_1/USER1/upload // (3)
chmod 770 /data/sftp_group_1/USER1/upload // (4)

mkdir -p /data/sftp_group_1/USER3/upload // (1)
chown -R root:root /data/sftp_group_1/USER3 // (2)
chown -R USER3:sftp_users /data/sftp_group_1/USER3/upload // (3)
chmod 770 /data/sftp_group_1/USER3/upload // (4)

mkdir -p /data/sftp_group_1/USER4/upload // (1)
chown -R root:root /data/sftp_group_1/USER4 // (2)
chown -R USER4:sftp_users /data/sftp_group_1/USER4/upload // (3)
chmod 770 /data/sftp_group_1/USER4/upload // (4)
  1. User home directory creation, accessibilty R/W.

  2. Rights setup to root:root on chrooted user root folder.

  3. Rights setup to $COMPTE$:sftp_users on chrooted user folder.

  4. Affectation des droits au répertoire à l’utilisateur et au groupe d’appartenance dans lequel l’utilisateur associé à la société pourra lire et écrire.

SFTP Admin account setup

[root@server sftp]# useradd -g sftp_users -d / -s /sbin/nologin SFTP_ADM // (1)
[root@server sftp]# cat /etc/passwd
...
SFTP_ADM:x:1006:1002::/:/sbin/nologin
  1. -g : Groupe d’appartenance du compte SFTP_ADM / -d Chemin du profil / -s shell de connxion ⇒ aucun

SSHD setup

[root@server sftp]# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.sav
[root@server sftp]# vi /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server // (1)
## Add umask to U+G none to Others
Subsystem sftp internal-sftp -u 0007 // (2)
IgnoreRhosts yes
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
PubkeyAuthentication yes
#RSAAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

# A placer avant le test sur le groupe si le user appartient au groupe sftp_users
# SSHD lit la config dans l'ordre d apparition....
Match User SFTP_ADM // (3)
ChrootDirectory /data/sftp_group_1 // (4)
## Add umask to U+G none to Others
ForceCommand internal-sftp -u 0007 // (5)

Match Group sftp_users // (6)
ChrootDirectory /data/sftp/%u // (7)
## Add umask to U+G none to Others
ForceCommand internal-sftp -u 0007 -d /upload // (8)
  1. Désactivation server SFTP par défaut

  2. Activation serveur SFTP intégré à sshd

  3. Bloc concernant le compte SFTP_ADM

  4. Chroot du compte SFTP_ADM vers /data/sftp_group_1

  5. Obligation du SFTP uniquement et changement du UMASK vers 0007 (correspond Ă  770)

  6. Bloc concernant les membres du groupe sftp_users

  7. Chroot des membres du groupe sftp_users vers /data/sftp/%u (%u est une variable pour le nom d’utilisateur)

  8. Obligation du SFTP uniquement et changement du UMASK vers 0007 (correspond à 770) et déplacement automatique dans le répertoire upload

SSHD restart and controls

systemctl restart sshd
systemctl status sshd
Vincent Gourrierec