175
edits
SFTP user chrooted to wwwroot subfolder (Nginx): Difference between revisions
SFTP user chrooted to wwwroot subfolder (Nginx) (edit)
Revision as of 08:04, 27 September 2019
, 27 September 2019no edit summary
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
The common place for all users' authorized_keys files will be in /usr/share/sshkeys: | The common place for all users' authorized_keys files will be in /usr/share/sshkeys: | ||
mkdir /usr/share/sshkeys | *mkdir /usr/share/sshkeys | ||
Then we change the sshd config to look here for the public keys: | Then we change the sshd config to look here for the public keys: | ||
vi /etc/ssh/sshd_config | *vi /etc/ssh/sshd_config | ||
Find and edit this line (create if doesn't exist): | Find and edit this line (create if doesn't exist): | ||
AuthorizedKeysFile /usr/share/sshkeys/%u | *AuthorizedKeysFile /usr/share/sshkeys/%u | ||
Move all users' authorized_keys here. There is no way around this. And this must be done in the future for each new user who will want to use key authentication: | Move all users' authorized_keys here. There is no way around this. And this must be done in the future for each new user who will want to use key authentication: | ||
mv /home/someuser/.ssh/authorized_keys /usr/share/sshkeys/someuser | *mv /home/someuser/.ssh/authorized_keys /usr/share/sshkeys/someuser | ||
Repeat the above for all users with SSH key-based access, also copy here a public key of our new SFTP user (lets call him sftpuser) | Repeat the above for all users with SSH key-based access, also copy here a public key of our new SFTP user (lets call him sftpuser) | ||
| Line 21: | Line 21: | ||
Set the permissions (or check them) and create a symlink back to the /home/someuser/.ssh (for all users): | Set the permissions (or check them) and create a symlink back to the /home/someuser/.ssh (for all users): | ||
chown someuser /usr/share/sshkeys/someuser | *chown someuser /usr/share/sshkeys/someuser | ||
chmod 600 /usr/share/sshkeys/someuser | *chmod 600 /usr/share/sshkeys/someuser | ||
ln -s /usr/share/sshkeys/someuser /home/someuser/.ssh/authorized_keys | *ln -s /usr/share/sshkeys/someuser /home/someuser/.ssh/authorized_keys | ||
If you already have the SFTP home folder created, do it for the SFTP user as well, if not, ignore the following 3 lines: | If you already have the SFTP home folder created, do it for the SFTP user as well, if not, ignore the following 3 lines: | ||
chown someuser /usr/share/sshkeys/sftpuser | *chown someuser /usr/share/sshkeys/sftpuser | ||
chmod 600 /usr/share/sshkeys/sftpuser | *chmod 600 /usr/share/sshkeys/sftpuser | ||
ln -s /usr/share/sshkeys/sftpuser /var/www/siterootfolder/sftp(sub)folder/.ssh/authorized_keys | *ln -s /usr/share/sshkeys/sftpuser /var/www/siterootfolder/sftp(sub)folder/.ssh/authorized_keys | ||
Once happy, restart the sshd to apply the changes: | Once happy, restart the sshd to apply the changes: | ||
systemctl restart sshd | *systemctl restart sshd | ||
Then, add the user. He will need to be in the nginx group (usually www-data) and his home folder will be set to the desired site subfolder: | Then, add the user. He will need to be in the nginx group (usually www-data) and his home folder will be set to the desired site subfolder: | ||
useradd -m -d /var/www/siterootfolder/sftp(sub)folder/ -G www-data -s /usr/sbin/nologin sftpuser | *useradd -m -d /var/www/siterootfolder/sftp(sub)folder/ -G www-data -s /usr/sbin/nologin sftpuser | ||
The /usr/bin/nologin shell is there because we don't want the user to be able to log in via SSH | The /usr/bin/nologin shell is there because we don't want the user to be able to log in via SSH | ||
| Line 47: | Line 47: | ||
The www-data user also needs to be added to the sftpuser's group: | The www-data user also needs to be added to the sftpuser's group: | ||
*usermod -a -G sftpuser www-data | |||
Edit the /etc/ssh/sshd_config file again to add chroot: | Edit the /etc/ssh/sshd_config file again to add chroot: | ||
vi /etc/ssh/sshd_config | *vi /etc/ssh/sshd_config | ||
Add (or uncomment) the sftp paragraph: | Add (or uncomment) the sftp paragraph: | ||
Match User sftpuser | *Match User sftpuser | ||
**ChrootDirectory /var/www/siterootfolder/sftp(sub)folder/ | |||
**X11Forwarding no | |||
**AllowTcpForwarding no | |||
**ForceCommand internal-sftp | |||
This way the user will only have access to his 'home' folder, seeing it as a root folder. | This way the user will only have access to his 'home' folder, seeing it as a root folder. | ||
| Line 71: | Line 71: | ||
First, make sure the permissions on your site folder, subfolders and files are set correctly (particularly Magento can have problems here). Then start changing the permissions: | First, make sure the permissions on your site folder, subfolders and files are set correctly (particularly Magento can have problems here). Then start changing the permissions: | ||
cd / | *cd / | ||
chown root:root var/ | *chown root:root var/ | ||
chmod 755 var/ | *chmod 755 var/ | ||
cd var/ | *cd var/ | ||
chown root:root www/ | *chown root:root www/ | ||
chmod 755 www/ | *chmod 755 www/ | ||
cd www/ | *cd www/ | ||
chown root:root siterootfolder/ | *chown root:root siterootfolder/ | ||
chmod 755 siterootfolder/ | *chmod 755 siterootfolder/ | ||
cd siterootfolder/ | *cd siterootfolder/ | ||
ls -l | *ls -l | ||
The above command is to determine the current permissions of the sftp(sub)folder. Record the owner(u) and the others'(o) permissions. Why? Remember, it's not just the sftpuser in the www-data group but vice versa. This way we | The above command is to determine the current permissions of the sftp(sub)folder. Record the owner(u) and the others'(o) permissions. Why? Remember, it's not just the sftpuser in the www-data group but vice versa. This way we | ||
will have his home folder but make sure the www-data account (which Nginx is running under) will have still the same permissions. | will have his home folder but make sure the www-data account (which Nginx is running under) will have still the same permissions. | ||
chown -R sftpuser:sftpuser sftp(sub)folder/ | *chown -R sftpuser:sftpuser sftp(sub)folder/ | ||
In the next command make sure the owner(u) and the group permissions(g) are the same, the (o) permissions can stay as they were: | In the next command make sure the owner(u) and the group permissions(g) are the same, the (o) permissions can stay as they were: | ||
chmod -R xxx sftp(sub)folder/ | *chmod -R xxx sftp(sub)folder/ | ||
And change the owner and permissions to comply with the sshd chroot conditions: | And change the owner and permissions to comply with the sshd chroot conditions: | ||
chown root:root sftp(sub)folder/ | *chown root:root sftp(sub)folder/ | ||
chmod 755 sftp(sub)folder/ | *chmod 755 sftp(sub)folder/ | ||
Note the missing -R parameter when we are changing the parent folders' owner and permissions. We don't want to mess up the permissions on the content of these folders, just the folders themselves. | Note the missing -R parameter when we are changing the parent folders' owner and permissions. We don't want to mess up the permissions on the content of these folders, just the folders themselves. | ||
| Line 112: | Line 112: | ||
Now create the .ssh folder and link the already created public key there (if you didn't do it yet): | Now create the .ssh folder and link the already created public key there (if you didn't do it yet): | ||
cd sftp(sub)folder/ | *cd sftp(sub)folder/ | ||
mkdir .ssh | *mkdir .ssh | ||
chown -R sftpuser:sftpuser .ssh/ | *chown -R sftpuser:sftpuser .ssh/ | ||
chmod -R 700 .ssh/ | *chmod -R 700 .ssh/ | ||
ln -s /usr/share/sshkeys/sftpuser /var/www/siterootfolder/sftp(sub)folder/.ssh/authorized_keys | *ln -s /usr/share/sshkeys/sftpuser /var/www/siterootfolder/sftp(sub)folder/.ssh/authorized_keys | ||
Once you've double-checked that all permissions are as they should be, apply the sshd_config changes: | Once you've double-checked that all permissions are as they should be, apply the sshd_config changes: | ||
systemctl restart sshd | *systemctl restart sshd | ||