Restrict Linux User to SCP to his home directory

You want to give access to your server, but you want to restrict access to SCP/SFTP, and to the user’s home directory. Here is how I configured an account restricted to SCP/SFTP only using jailkit on CentOS.

warningThe procedure described in this article should work with most other Linux distributions as well. Keep in mind that the path to the executables may be different on other Linux distributions.

The different solutions

I have tried a couple of ways to limit a user but and it can involve a lot of manual work. Like if you use rssh, which seems to be a solid way to jail a user to SCP/SFTP but it does not support the creation of a chroot environment. You have to create this entirely by yourself. Jailkit, on the other hand, provides you with a complete set of tools to create the chroot for you as well as providing other tools to easily move a user into the jailed environment.

Preparation

Before we dig into the setup and configuration of jailkit we need to decide what we want to allow the user to do and where he should have access. In my case I have a “user1” that I want to restrict to upload and download files only from his home directory, so I want to limit this user to SCP/SFTP, and I want to build the chrooot jail in /home/chroot_scp/.

First we need to create the jail directory. The permissions oo the jail directory are very important. The jail directory needs to be owned by user and group root, but everybody needs the permission to open this directory (the execute flag for “other”). To set all those permissions and owner, these commands need to be run as root.

mkdir /home/chroot_scp
chown root:root /home/chroot_scp
chmod 701 /home/chroot_scp

And of course we need to create the user we want to jail if we don’t already have the user created. My ssh setup only allows ssh login from users from a specific group, so I added this group with the “-G additional_group” parameter in the following comand. We don’t care at this step about the login shell or the location of the home directory as we will change it later anyway.

useradd -g users -G additional_group user1

Create chroot jail

Creating the chroot jail directory could not be easier. Jailkit provides a set of commands to easily setup the chroot environment without all the manual work. To install jailkit on CentOS run the following command:

sudo yum install jailkit

We create the chroot environment with “jk_init” and provide all the allowed commands (scp, sftp). Additionally jailkit comes with a login shell for the restrictions (jk_lsh). As we want to use this, we have to specify it in the creation command as well. The second command (“jk_jailuser”) will jail the user and move (the -m parameter) the user’s home directory into the chroot environment as well. To do so, run the following commands as root:

jk_init -j /home/chroot_scp scp sftp jk_lsh
jk_jailuser -m -j /home/chroot_scp user1

The second command will configure the user’s home directory into the chroot jail as well as changing the login shell. Now we need to configure the shell itself. The shell’s configuration file can be found inside the chroot directory under “etc/jailkit/jk_lsh.ini” open it with your favorite text editor:

vim /home/chroot_scp/etc/jailkit/jk_lsh.ini

Add these lines to the end of the configuration file. These allow “user1” to use the scp and sftp commands. Make sure that the path to the executables are correct. If they are wrong, the login might fail.

[user1]
paths= /usr/bin, /usr/lib/ 
executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server

As the last step, we need to create a password for “user1” as this was not done during the creation of the user. To do this run the following command:

passwd user1

Now you have a user account enabled to connect via SCP/SFTP without accessing the whole server.

Test the configuration

To test your configuration we will connect using SFTP and upload a file. Then we will connect using SCP to download this file. For this test I assume that we have a file to upload ready. I call it “test.txt”.

sftp user1@server.example.com

After we have connected we can check the current directory using “pwd” command which should show us “/home/user1”. Now we can upload the “test.txt” file with the following command:

sftp> put test.txt

Now type “exit” to quit the SFTP connection. To download the file we will use SCP with the following command.

scp user1@server.example.com:/home/user1/test.txt test_in.txt

This should download the “test.txt” with the new name “test_in.txt” (so we don’t overwrite the original file).

Debugging

If you run into problems you will need to consult the log file. The log file containing relevant information about jailkit is /var/log/messages. As far as I can tell, the error messages in the log file tend to point precisely to the problem.


Read more of my posts on my blog at http://blog.tinned-software.net/.

This entry was posted in Linux Administration, Security and tagged , , , , , . Bookmark the permalink.