Lock down SFTP without restricting SSH on Ubuntu 8.10 (Intrepid Ibex)

Posts

If you’re running a Linux, Mac OS X or Unix server of any description, SSH is an invaluable tool when it comes to taking control of the machine while you’re not infront of it.

In the world of web hosting, it’s also brings with it SFTP; a fantastic alternative to the very insecure FTP. Except it has one major flaw: by default on Ubuntu (and most Linux distros), one user can see all of another user’s files just by dropping up a directory to /home. Not exactly ideal if you’re providing a shared-hosting service.

So what we want is a chrooted version of SFTP. But this would also chroot SSH too, making it unusable for system administration. So we need to lock down SFTP only, but let SSH run free. We also want to be able to make some users SFTP-only (web hosting customers), and some users SFTP and SSH capable.

Luckily someone known as “The Minstrel”, came up with a pretty good solution to this. Back in November 2007, Mads Madsen also created a guide to this process for Debian/Ubuntu 7.04. This has been my favourite solution for some time now. The OpenSSH project has since created a version of this this idea internally, but annoyingly it’s got a major flaw: wherever you want to chroot the users to must be owned by root. In other words, users will not be able to create any files in the top level of their chroot jail.

Imagine that you have your users data stored in /home/username. You can’t chroot them to /home/username unless you create a directory inside there, and then let them own that. That gives them an ugly chrooted writable path like /htdocs (or whatever you choose to call it), and a / folder they can’t edit. The other option is to chroot them to /home, and let them own their homedir as normal, but then they can see every other user’s files. Again, not ideal.

So I stuck with The Minstrel’s version, but got tired of having to recompile and rebuild all this every time I wanted it on a new machine. Some people would have probably avoided this (actually quite good) solution altogether because it’s a bit too indepth. Well, it just got a bunch easier, because I created all the bits needed and am publishing them here for you to use.

Disclaimer: I make no promises that this won’t electrocute your cat, sleep with your girlfriend, make fun of your children, etc. Infact I make no promises about this at all. That said, for me, this has worked very well several times since Ubuntu 8.10’s release, on a whole variety of machines, and I’ve had no problems with it.

So from your Ubuntu machine, fire up a terminal (or SSH in, if you’re not sat infront of it) and paste this in:

wget http://unadopted.co.uk/openssh/openssh-server_5.1p1-3ubuntu1_i386.deb
sudo dpkg -i openssh-server_5.1p1-3ubuntu1_i386.deb
sudo aptitude hold openssh-server

This will download the modified package, install it, and tell Ubuntu not to replace it with new any of Ubuntu’s versions. Now bear in mind that you won’t get automatic security updates on OpenSSH anymore — you’ll need a new version of this package when OpenSSH 5.2 comes out, but when that comes out, it’ll be a pretty simple copy/paste job to upgrade, just like that was. The Minstrel notes that it’s worth signing up to the openssh-unix-announce mailing list to find out when this is necessary.

Now if this is the first time you’re doing this we need to do a couple extra steps (though you won’t need to do this if you’re just updating):

wget http://unadopted.co.uk/openssh/sftpsh
sudo cp sftpsh /bin/sftpsh
sudo chown root:root /bin/sftpsh
sudo chmod 755 /bin/sftpsh
sudo echo "/bin/sftpsh" >> /etc/shells 

This will download and install a special shell which you’ll need to set up as the login shell for the user accounts for whoever you want to lock down. This will kick them straight out if they try and SSH in, but will still let SFTP work. We also need to tell the system which directory to lock them into by adding a special tag into their home folder definition. Which all sounds a bit more complicated than it really is (it’s just one line to copy and paste).

So, let’s say our web user is called “mywebsite-sftp”. We’d just do this, if we wanted to lock them to their home directory:

sudo usermod -s /bin/sftpsh -d /home/mywebsite-sftp/./ mywebsite-sftp

Simple, right? The Minstrel has built up a pretty good set of FAQs incase you run into any problems.

If you ever change your mind, and want to go back to Ubuntu’s default OpenSSH server and undo all these changes, that’s dead simple too, just copy and paste this in (go-go-gadget uninstaller!):

sudo rm /bin/sftpsh
sudo aptitude remove openssh-server
sudo aptitude install openssh-server 

Warning: If you’re SSH’d in, don’t disconnect between the two aptitude commands, or you won’t have an SSH server to reconnect to (but it will stay alive until you disconnect). Also, you’ll need to remember that the sftpsh shell doesn’t exist anymore, though, and you’ll need to change any users back to a different shell using usermod.

Okay, so that’s that over with. Tell your friends, post it on Facebook, link to this in forum posts, Digg it, link to this from the Ubuntu Wiki, do whatever you feel you must do to share this with the world. :)

23 thoughts on “Lock down SFTP without restricting SSH on Ubuntu 8.10 (Intrepid Ibex)

  1. Your solution is as cookie cutter as it gets.. My problem however is that I am running sever Ubuntu 8.04 LTS servers and with the advent of 9.04, it is crazy to build a new server on 8.10. Do you have a solution to make this available for either 9.04 or 8.04LTS?

  2. Hi Corey,

    I’ve not yet built a version for 9.04 or 8.04, but I’m working on packaging this up and uploading this to a Launchpad PPA. Once I’ve done that, it should be trivial for me to keep this updated for any future release, and also for older releases, too.

    Keep nagging me so I don’t forget! :)

  3. Ok, so I created a stock install of 8.10. Followed your directions precisely. The only line that didn’t work is the:
    sudo usermod -s /bin/sftpsh -d /home/mywebsite-sftp/./ mywebsite-sftp

    I believe the problem was related to the “./” command. When i removed that portion, it obviously worked. If I’m not correct, I believe that is the command you were using to make /home/mywebsite-sftp the root dir for user mywebsite-sftp. Unfortunately, the “./” command is not accepted within that command.

    Locking the user to their respective /home/user directory is precisely the problem that i have been having which brought me to your howto.

    Do you possibly have a solution the the ./ problem?

    Thanks

    Corey

    ps… what do you spin as a DJ? House, progressive, hip-hop, etc…

  4. You were correct. I was putting a space there. I omitted the space, and now the command goes through without error. But now when i attempt to login to sftp (even through a normal bash shell) i get connection errors.

    esolving 192.168.2.164…
    192.168.2.164 connecting…
    SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
    client -> any
    server -> any
    1a:f4:fb:b0:78:9d:db:7d:06:0c:b5:e2:c8:4b:6d:52
    ssh-rsa
    Sending password
    SFTP connection error

    Any ideas?

    Corey

  5. I just wanted to say that i appreciate you trying to work with me on this issue Aaron. You are a representative of the spirit of Linux.

    Thanks,

    Corey

    btw… your podcasts kick! I d/l’d them all… Had too!

    The desktop support tech that works with me…. he moonlights as a DJ in downtown Chicago. I have a feeling the two of you would get along great…

  6. Corey, from a bash shell on the same machine as the SFTP server, run sftp -v yourusername@localhost.

    It should come up with some detailed information. Pop over to http://pastie.org/ and paste it in, commenting back here with the link, and I’ll try and figure out what’s going on.

    Perhaps sftpsh isn’t set up right — is it listed in your /etc/shells file and executable?

    Do you have something like DenyHosts installed? Has it banned you?

  7. I created a fresh install of 8.10 server. Selected the lamp package. During the install i created user “corey”. Once the install completed, i created user test with home directory /home/test. Openssh wasn’t installed with the intial OS install. from that point, i followed your directions completely. The only time i deviated was the command:

    sudo echo “/bin/sftpsh” >> /etc/shells

    Intially it errored out with sudo, i did su and ran the command a second time. It worked with su.

    I ran the final line of code, substituting “test” for “mywebsite-sftp”.

    Here is the pastie of the output of sftp command:

    http://pastie.org/490596

    I hope this helps!

    Corey

  8. Ok, so i ran the command:

    usermod -d /home/test test

    to get rid of the ./ and now test can log into the sftp without a problem.
    The only issue now is that the user test isn’t locked into it’s own directory. Instead, test can browse the / root directory freely.

    I’m trying to get the user locked into their own home directory.

    Corey

    ps, sftpsh is in /etc/shells and it is executable.

  9. I just did this in a virtual machine and something is indeed not right. I’m getting messages in /var/log/syslog about not being able to use libpolkit, but installing the policykit package didn’t fix it.

    There’s a newer OpenSSH out, and a newer Ubuntu out, so I think I’ll rebuild this from scratch on a clean VM so that nothing goes crazy. Bear with me?

  10. Okay. So I rebuilt this on a fresh Jaunty install, and it still didn’t work. Then I realised I missed a line from my instructions — oops. Put the magic ./ token back in your user’s homedir definition, then run this:
    sudo chmod +s /usr/lib/openssh/sftp-server

    The upside of all this is that I now have this going for Jaunty (Ubuntu 9.04). I’ll post a release for that either tonight or tomorrow morning, but in the meantime, this’ll get you going.

  11. I’ll be here. I would like to see this project through. Maybe after you figure it all out, you can build a pretty front end to it….

    There’s alot of potential there…

  12. Dude… I figured it out! You didn’t set the suid for sftp-server…. Since the patch uses suid to chroot the users, you have to run the following command:

    chmod +s /usr/lib/openssh/sftp-server

    once you run that command, you can create the root directory for the ftp user with ./ and they will be chrooted correctly!

    This should be placed after the line:

    sudo echo “/bin/sftpsh” >> /etc/shells

    This is awesome, i appreciate your help!!!

  13. Ok… I just realized that you told me to do that command in the post above…. Damn I’m slow! I didn’t refresh before writing the comment….

    ps… I wish i could edit my posts…. I wouldn’t feel as stupid….

  14. Corey: I’ve not written up any documentation yet, but there are now Intrepid and Jaunty builds of this at https://launchpad.net/~aaronr/+archive/ppa — you’ll still need to install sftpsh seperately as described above, and chmod +s /usr/lib/openssh/sftp-server but it’s definitely a bit more Ubuntu this way… :)

    I’ll try and get a post with some proper documentation done soon.

  15. I’m trying to figure out a way to get the Sftp to log activity (uploads and downloads)… Have you ever come across a good method?

    I stumbled onto this website: http://sftplogging.sourceforge.net/

    It’s been updated to a newer version, but from this site you will get the idea. It seems there is a patch that must be installed prior to compiling the source.

    What are your thoughts of compiling the logging patch within your patched openssh binary?

    Corey

  16. According to that site, it’s built into the current openssh. I know that logwatch emails me a report of all sftp logins nightly (though I don’t think it’s quite like the logging you’d get with, say, proftpd — it’s just syslog events I think).

    If there’s already a patch written and tested with the current OpenSSH release I’d be happy to review the code and add it, though I can’t commit to coding/testing it myself at the moment. :(

  17. Sure, there is some logging, but it is mainly access logs. There is a patch available that allows fine grained logging of actual file transfers. The patch can be found at: http://sftpfilecontrol.sourceforge.net/

    It was just an idea. Your packages allow sftp to become almost as user friendly as proftpd… Now if you can add the logging patch from that site, sftp would be completely full featured. In my opinion, this is how it should have been coded from the start. As a secure replacement for http://ftp….

  18. Intriguing. In that case, yeah I’ll probably get that added in. I’ve gotten swamped with another project in the short term, but keep reminding me, and I’ll get it done.

  19. I’m thinking that once you have a chance to get it all together, we could package it as an OVF and submit it to VMware as a full featured drop in SFTP. Call it the “Unadopted Secure FTP server”…..

    I can tell you honestly… I was sure looking for a quick and easy solution a couple of months ago when I started investigating secure file transfer solutions. A readily available prepackaged virtual machine would have solved all my problems.

    You could be a hero to some Geek out there… :)

  20. So A,

    Plenty of time has passed…. Have you given thought to updating this code to a newer version of OpenSSH? Apparently, OpenSSH 5.1 has some pretty decent vulnerabilities….

    If you can find it in your good graces to update the ppa?

    Thanks, Dude.

Leave a Reply

Your email address will not be published. Required fields are marked *