Ssh – SFTP via port 22 or vsftp over port 20 / 21 – Best way to secure FTP access to a server

chrootsftpssh

I've read many articles and questions on SF about this, and still can't figure out if the way I'm doing it is (a) possible, and (b) secure.

The server is running on AWS EC2, and all access is via SSH keys. I also only open port 22 to my own IP, but it seems if I want to allow others to access via SFTP, I'll need to open port 22 to the world (or spend my days managing firewall rules for dynamic IP addresses). Is this really better than, say, vsftp on port 21?

Assuming for the moment SFTP on port 22 is best, this is what I've done:

Created an 'ftp' user with a public / private key
Set up /home/ftp/.ssh/authorized_keys and tested SSH access
Added a ChrootDirectory entry in /etc/ssh/sshd_config pointing to /var/www/html
Adjusted the permissions from /var/www downwards so the chroot 'works'

Now, I'm stuck in a seeming catch 22, which is, I suspect (hope), just misconfiguration. Without the chroot block in sshd_config, I can connect either via Putty or an SFTP client, and all is well – apart from having access to the whole file system. With the chroot block in place, I was hitting the Could not chdir to home directory /home/ftp error during authentication, as now the /home/ftp/.ssh folder is unreachable and so the keys don't work. This old question / answer suggests putting a .ssh folder inside the /var/www/html/ folder, but that seems very odd to me – is that really OK to do, given that it's accessible by the web server?

Is there a more 'correct' way to have a user connect via SSH key and then be restricted to only /var/www/html?

Best Answer

In your OpenSSH configuration you can put some configuration in match blocks. This lets you set different configuration for different users/groups/networks.

So you could put all your sftp users into a group sftpd and then add a block like this. This forced chroot and forced sftp would only apply to that group. Your main account would then be able to use a shell as normal.

Match Group sftp
    ChrootDirectory /var/www/
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

.ssh folder inside the /var/www/html/ folder, but that seems very odd to me - is that really OK to do

It isn't the worst thing. One would hope that those users aren't making outbound connections, so there will be no keypairs, and no known_hosts in that folder, leaving only the authorized_keys file. Which only has public keys in it. Public keys are public, sharing them shouldn't be particularly dangerous. Though it wouldn't be a bad idea to set the chroot directory for the sftp accounts at least one directory from the web root so that the .ssh isn't served publicly and outside the web root. If your chroot was to /var/www and you set your root for the web server at /var/www/html that would seem to satisfy your concern.

Related Solutions

Amazon EC2 CentOS – How to Add User with SFTP/FTP Access to /var/www/html/website_abc

By default services that provide a remote shell, like ssh or telnet, or an interactive remote session for commands like sftp, allow a local user to change into any directory they have permissions for, and retrieve a copy of any file they have access to.

As a general security configuration this is unfortunate because there are many files and directories which are world-readable of necessity. For example here is me a non-root user on some remote CentOS box;

$ cd /etc
-bash-3.2$ ls -1
acpi
adjtime
aliases
...

e.g. I can access lots of stuff, that ideally you would want to restrict from some unknown user who you wish to provide local access to.

Here is me looking at all the local users configured in the /etc/passwd file;

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...

Unix systems provide the chroot command which allows you to reset the / of the user to some directory in the filesystem hierarchy, where they cannot access "higher-up" files and directories.

However in your case, it would appropriate to provide a virtual chroot implemented by the remote shell service. sftp can be easily configured to restrict a local user to a specific subset of the filesystem using a configuration in the

hence in your case, you want to chroot the adeveloper user into the /var/www/html/website_abc directory.

You can set a chroot directory for your user to confine them to the subdirectory /var/www/html/website_abc like so in /etc/ssh/sshd_config;

This stuff requires openssh-server later than 4.8?, so probably requires CentOS 6.2

Match Group sftp
    ChrootDirectory %h
    AllowTcpForwarding no

(not tested, see man sshd_config to confirm syntax)

and then add those users to the sftp group;

 groupadd sftp
 usermod -d /var/www/html/website_abc adeveloper
 usermod -G sftp adeveloper

Regarding shared keys

you should create an additional keypair for the adeveloper users, and send that to your consultant. (or alternatively, have them send your their public key and add it to the authorized_keys file for adeveloper)

never give up your private key, thats why its called private ;-)

traditional ftp alternatives

vsftp/proftp etc also support chroot configurations, but in this modern day ssh based configurations are the normal way, and support for ftp is historical only.

there are a couple of links to tutorials here;
http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny

Ubuntu – Is it possible to allow key based authentication for sshd_config chroot sftp users

Put your keys outside chroot (they are used before chroot any way). For example put your keys in /etc/ssh-pool/user.pub and change you config:

AuthorizedKeysFile /etc/ssh-pool/%u.pub

Best Answer

Related Solutions

Amazon EC2 CentOS – How to Add User with SFTP/FTP Access to /var/www/html/website_abc

Ubuntu – Is it possible to allow key based authentication for sshd_config chroot sftp users

Related Topic