Thursday, May 16, 2013

Create a chroot sftp account with logging

System: CentOS 5/6

Prerequisites: openssh >5.2

chroot sftp user home directory is /usr/sftp/i-sftp

  1. make sure the entire chroot path is owned by root
    ls -ld /usr
    ls -ld /usr/sftp
    ls -ld /usr/sftp/i-sftp

  2. Add to /etc/ssh/sshd_config
    Match User i-sftp
        ChrootDirectory %h
        ForceCommand internal-sftp -l INFO
        GSSAPIAuthentication no
        PasswordAuthentication no (yes if using password auth)
        PubkeyAuthentication yes (no if keys not allowed)
        AllowTcpForwarding no
        Banner none

  3. For key-based authentication add a .ssh directory and create the authorized_keys file. This must also be owned by root:root
    sudo mkdir -m 0555 /usr/sftp/i-sftp/.ssh
    sudo touch /usr/sftp/i-sftp/.ssh/authorized_keys
    sudo chmod 0444 /usr/sftp/i-sftp/.ssh/authorized_keys

  4. Add the necessary public keys to the authorized_keys file

  5. Create a directory for the log socket
    sudo mkdir -m 0755 /usr/sftp/i-sftp/dev

  6. Add to /etc/rsyslog.conf
    $AddUnixListenSocket /usr/sftp/i-sftp/dev/log
    if $programname == 'sshd' then /var/log/sshd.log
    if $programname == 'sshd' then ~
    if $programname == 'internal-sftp' then /var/log/sshd.log
    if $programname == 'internal-sftp' then ~

  7. restart rsyslog
    sudo service rsyslog restart

Now all sshd and internal-sftp messages will go to /var/log/sshd.log

Don't forget to add sshd.log to logrotate.

No comments:

Post a Comment

Off topic comments will be deleted. Comments with spelling or grammar errors may be deleted unless they have hoplophobic or statist content in which case they will be highlighted and ridiculed.