Easily configuring a chrooted SFTP server with OpenSSH.

Note: While this provides 80% of the functionality necessary to meet the requirements spelled out in the security FAQ, this solution uses integrated user accounts, and not virtual users. If this is a requirement for your customer, you should take advantage of the perfeng_FTPS_solution. However, if you don't need virtual users, then this method can save significant time & energy.

Installation

Pre-requisites:

System configuration

Before beginning, be sure to patch update your target server to the latest patch level via up2date or yum. This guide assumes you are running Redhat Enterprise Linux, either version 4 or version 5. Users of other linux-based operating systems can get the gist from here, but the packages supplied will not work for you.

Packages

Installation is done via several RPMS available on the file repository. These are available at ftp://209.34.77.21/rpms. You'll need the latest posted builds of the following packages:

• openssh
• openssh-client
• openssh-server

They are currently maintained for Redhat 4 & 5, in i386 & x86_64 versions. Be sure to download the version that is correct for your release of Redhat & architecture.
You will also need the scponly package, available from the public Dag software depository:

• http://dag.wieers.com/rpm/packages/scponly/

Again, be sure to download the version that is correct for your release of Redhat & architecture.

Package installation

Install scponly.

• Install scponly with the command sudo rpm -ihv scponly*.rpm.
• Add scponly to the list of valid shells with the command sudo sh -c 'echo /usr/bin/scponly >> /etc/shells'

Upgrade OpenSSH.

• Update the existing RPM packages with the command sudo rpm -Uhv openssh*.rpm

Post-install configuration.

Build the SFTP jail.

It is important that the sftp jail not be in /home. Since OpSource uses a small root partition, be cognizant of disk usage. If the customer will be storing a lot of data here, put your jail on a separate partition. However, It is also important to note that root must own the entire folder structure of the jail, and the jail must not be world or group-writable. This means that /usr/local/customer/jail is likely not going to be acceptable.
For this example, we're going to park the jail at /jail/ on the root partition. Our sftp user in this case is ctestington. We'll create his jail with these commands:
sudo mkdir -p /jail/ctestington
sudo chown root:root /jail

Add the chrooted user group.

To easily control which users are allowed full system access, and which users will be sent to the jail on login, create a new local group called chrooted with the command groupadd chrooted. Make sure to note this group's GID.

Modify the /etc/ssh/sshd_config file.

Edit the /etc/ssh/sshd_config file. Find & comment out the Subsystem line that enables the sftp server, and substitute our own configuration:
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Then, add a configuration that will force users in the chrooted group into their jails on login:
Match Group chrooted
# chroot users into this directory
# %u gets substituted with the username
ChrootDirectory /jail/%u
X11Forwarding no
AllowTCPForwarding no
Once this is done, restart the sshd daemon with the sudo /sbin/service sshd restart command.

Create the test user & his upload folder.

User management is handled through the built-in tools. In this case, we're going to add user ctestington, set his home directory, set his group membership, and set his default shell. Once this is done, the user will only be able to connect via sftp or scp, but not ssh. He will not be allowed to see any of the filesystem except for his own jailed directory. We'll create him an upload directory so he can upload & download files within his jail, because he won't be allowed to create files or folders in his jail root.
adduser -d /jail/ctestington -G chrooted -s /usr/bin/scponly ctestington
sudo mkdir -p /jail/ctestington/upload
sudo chown root:root /jail/ctestington
sudo chown ctestington:ctestington /jail/ctestington/upload
sudo chmod 755 /jail
sudo chmod 755 /jail/ctestington
sudo passwd ctestington

Tips & tricks

Set the default user attributes

If you'd like almost all newly created users to be restricted by default, you could change the /etc/defaults/useradd file to change the home directory, group membership, and default shell.

Conclusion

That's it! You should now be able to create local users who are only allowed sftp/scp access to the server, via the integrated user management tools built into the operating system.