Virtualmin + SFTP + chroot

By /
Facebook
fb-share-icon
Twitter
Tweet

SFTP is considered more a secure alternative to FTP and FTPS. The FTP server is needed as the native SSH server is used instead, and SSH does not require an SSL certificate. One drawback is the default configuration of SFTP does not restrict access to the user’s home directory. A chroot’ed setup can easily be configure and incorporated with Virtualmin.


Create sftponly group

addgroup --gid 900 sftponly


Create chroot directories

mkdir -p /home/chroot/bin


Virtualmin chroot setup script

cat > /home/chroot/bin/chroot.sh <<EOF
#!/bin/bash
if [ ! "\$VIRTUALSERVER_PARENT" ]
then
  if   [ "\$VIRTUALSERVER_ACTION" == "CREATE_DOMAIN" ]
  then
    if [ ! "\$VIRTUALSERVER_CREATED" ]
    then
      mkdir -p /home/chroot/\$VIRTUALSERVER_USER/home
    else
      echo "Setting up \$VIRTUALSERVER_USER to chroot'ed environment for sftp"
      usermod -d /home/\$VIRTUALSERVER_USER \$VIRTUALSERVER_USER
      ln -s \$VIRTUALSERVER_HOME /home
      echo " .. done"
    fi
  elif [ "\$VIRTUALSERVER_ACTION" == "DELETE_DOMAIN" ]
  then
    if [ "\$VIRTUALSERVER_CREATED" ]
    then
      echo "Cleaning up \$VIRTUALSERVER_USER's chroot'ed environment"
      rm -rf /home/chroot/\$VIRTUALSERVER_USER /home/\$VIRTUALSERVER_USER
      echo " .. done"
    fi
  fi
fi
EOF
chmod 755 /home/chroot/bin/chroot.sh


Modify ssh server

cat >> /etc/ssh/sshd_config <<EOF
Subsystem    sftp    internal-sftp
Match Group sftponly
    ChrootDirectory /home/chroot/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no
Match all
EOF


Restart SSH Server

service ssh restart


Virtualmin Configuration Changes

Virtualmin -> System Settings -> Virtualmin Configuration -> Defaults for new domains -> Home directory base:

/home/chroot/${USER}/home


Virtualmin -> System Settings -> Virtualmin Configuration -> Defaults for new domains -> Home subdirectory: 

${USER}


Virtualmin -> System Settings -> Virtualmin Configuration ->Actions upon server and user creation -> Command to run before making changes to a server: 

/home/chroot/bin/chroot.sh


Virtualmin -> System Settings -> Virtualmin Configuration ->Actions upon server and user creation -> Command to run after making changes to a server: 

/home/chroot/bin/chroot.sh


Enforcing SFTP only access on a user

usermod -a -G sftponly <username>
Facebook
fb-share-icon
Twitter
Tweet