Setting Up a Secure SFTP Chroot Environment on Red Hat 9, CentOS Stream 9, and Oracle Linux 9

In this tutorial, we will guide you through the process of setting up a secure SFTP chroot environment on Red Hat 9, CentOS Stream 9, and Oracle Linux 9. This setup will restrict users to their own directories, enhancing security by preventing them from navigating the broader filesystem.

Prerequisites

• A server running Red Hat 9, CentOS Stream 9, or Oracle Linux 9.
• Root or sudo access to the server.
• An existing user account to configure for SFTP access (we’ll use sftpuser in this example).

Step-by-Step Guide

1. Install Required?Packages

Ensure that the necessary packages are installed on your system:

sudo dnf install openssh-server -y        

2. Create the SFTP User and Directory Structure

Create a user and the required directory structure for the chroot environment:

sudo useradd -m sftpuser
sudo passwd sftpuser
sudo mkdir -p /home/sftpuser/chroot/uploads        

3. Set Ownership and Permissions

Set the ownership and permissions to ensure the chroot environment is secure:

sudo chown root:root /home/sftpuser/chroot
sudo chmod 0755 /home/sftpuser/chroot        

sudo chown sftpuser:sftpuser /home/sftpuser/chroot/uploads
sudo chmod 0700 /home/sftpuser/chroot/uploads        

These settings ensure that the chroot directory is owned by root and not writable by any other user, while the uploads directory is writable by sftpuser.

4. Configure SSHD for?Chroot

Edit the SSH daemon configuration file to set up the chroot environment:

sudo nano /etc/ssh/sshd_config        

Add the following lines at the end of the file:

Match User sftpuser
    ChrootDirectory /home/sftpuser/chroot
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no        

These directives tell SSHD to chroot the sftpuser into /home/sftpuser/chroot, force the use of the internal SFTP server, and disable port forwarding and X11 forwarding for security.

5. Restart the SSH?Service

Restart the SSH service to apply the new configuration:

sudo systemctl restart sshd        

6. Verify the Configuration

To verify that everything is set up correctly, try to log in as sftpuser using an SFTP client:

sftp sftpuser@your_server_ip        

You should be restricted to the /uploads directory and unable to navigate outside of it.

Conclusion

By following these steps, you’ve successfully set up a secure SFTP chroot environment on Red Hat 9, CentOS Stream 9, and Oracle Linux 9. This setup confines users to their own directories, enhancing overall system security. This approach is particularly useful for environments where multiple users need SFTP access, but should not have access to each other’s files or the rest of the filesystem.