Juan Manuel Ordonez, 123RF.com
Creating an SFTP jail
UserSecurity
As gatekeepers of the data center, Unix administrators sometimes receive a request to create a Secure File Transfer Protocol (SFTP) account that will only allow the user to view files within that directory. SFTP is preferred over the standard FTP in most customer-facing environments because the username and password are not transmitted in cleartext, nor is the data in transit. Standard FTP has provisions within the .ftpaccess file to create a more restrictive user environment. However, when using SFTP out of the box, users may change directories (cd) and view (ls) whatever they choose within the server, even /.
Danger
To clamp down on users and thereby restrict them to a specific home directory so they can't operate outside of that home directory requires the creation of a chrooted, or "jailed," directory.
"Chroot" is the term for this type of restricted directory. With chroot, users are unable to move outside their "cell" and can only view their surroundings. Just think of how you feel in a cubicle. On Linux, this setup is fairly straightforward. However, for those of us who are tethered to a Solaris environment, this task requires some configuration gymnastics to actually get it done. Like any good Unix disciple, I trolled the Internet for weeks before I found enough bits and pieces to consolidate the fragmented virtual Google filesystem of information into a more contiguous aggregated cookbook method.
Set Your Environment
Before you proceed, the most important step is to ensure your environment variables are set. For newbies, environment variables tell the current shell where to find everything. I prefer to set mine in .bash_profile in my $HOME directory; thus, with each new
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
How to configure and use jailed processes in FreeBSD
With IT security playing an increasingly important role, one feature in FreeBSD deserves special attention: jails. In this article, we shed some light on the extra level of security that jails promise. -
Sort out your SSH configs
The scope and functionality of SSH and sFTP provides both secure remote access and secure file transfers. -
A Password Protection Service
Fail2ban is a quick to deploy, easy to set up, and free to use intrusion prevention service that protects your systems from brute force and dictionary attacks. -
Getting Data Into and Out of the Cluster
A basic question when getting into HPC is how to get data into and out of the cluster from local Linux and Windows machines.
-
SSH on Windows
For Linux admins, SSH is one the most important tools of remote administration. SSH also works in Windows, with tools such as PuTTY or WinSSH, MobaXterm, WinSCP, or Swish.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
