[GUIDE] SFTP Selective remote folder access to certain users

  • SFTP Selective remote folder access to users


    SFTP is file transfer protocol that works over ssh. Comes bundled with openssh-server package. The default settings can let you access your whole rootfs and media drives as root or any other user that's in the ssh group. This guide covers how to setup ssh in way that you can specify custom folders to be the only ones users have access through the SFTP. This is done by creating chroot jails defined in the sshd_config. For putting custom folders will create a general sftp folder, and inside will mount bind all folders we want for a particular user to have access.


    Warning: 90% of this guide is CLI commands.


    What you need:

    • OMV 2.0 (This should work in earlier versions 1.0, 0.5 and below but it hasn't being tested)
    • SSH service
    • tree (optional: apt-get install tree)
    • Terminal console (or putty in windows environment)

    Getting Started



    First we need to disable the general sftp subsystem that comes enabled by default. Since omv defaults rewrites everything after we make a change in the ssh service we need to attack this by defining and environmental variable.


    nano /etc/default/openmediavault


    Place at the end of the file this two lines


    Code
    OMV_SSHD_SUBSYSTEM_SFTP="internal-sftp"
    OMV_SSHD_ALLOWGROUPS="root ssh sftp-access"


    Run service openmediavault-engined restart && omv-mkconf ssh && service ssh restart


    Then we create the group sftp-access in the webui panel and add the user1 and user2 as members, we check in terminal.


    Code
    root@vm-omv:/# getent group sftp-access
    sftp-access:x:1002:user1,user2


    Now lets create our two users chroot folders


    mkdir -p /sftp/{user1,user2}


    is important that this two folders are owned by root and no one else has write access


    Code
    chown root:root /sftp/{user1,user2}
    chmod 755 /sftp/{user1,user2}


    Now lets say we have four folders at /media/<uuid>/ , Documents, Videos, Pictures and Music.


    list.png


    We want user1 to have access to all four folders and user2 just to Documents
    In the /sftp folder we do


    Code
    mkdir -p /sftp/user1/{Documents,Music,Pictures,Videos}
    mkdir -p /sftp/user2/Documents


    We edit /etc/fstab and we add at the end this



    Change the uuid and folders according to your setup.


    Run mount -a, confirm all folders are mounted with mount | grep 'user1\|user2'


    mtab.png


    You can check then the structure with tree /sftp -fpug


    tree.png


    As you can see, if you create a file in the original directory it will show up in the sftp directory. This is a mount bind, an alternate view of the original directory tree, this time replicated in another point of the / filesystem


    Now this time we go to the ssh configuration panel in the OMV webUI an at the extra options we add


    Code
    Match Group sftp-access
    ChrootDirectory /sftp/%u
    ForceCommand internal-sftp


    It should look like this


    webpanel.png


    Now lets check from another lan client if is working


    sftpaccess.png


    You can also use filezilla, cyberduck, winscp or any client that supports sftp to access from a Desktop.


    Notes:

    • Ssh provides absolutely no read-write control over the files using the login as samba or ftp do, the show or not show directory is done at the fstab mount. If you want to restrict write access to some users for read only you will need to go to basic POSIX permissions.
    • The ForceCommand directive forbids access to the ssh console to those users in the defined group. Users in the ssh groups should not be affected by this and have full root filesytem access in sftp an in ssh.
    • You cannot create folder in chroot top level folder using sftp, as we did in the beginning both chroot folders user1 and user2 don't have write access, thus folder or file creation|upload is denied . In the bind folders everything should work as expected
    • You cannot use scp command in this setup for the users defined in the group sftp-users
    • You can use ssh keys for a more secure access if you want. Those can be added at each user web panel.
    • If you want remove access to folder for a user, do not attempt to remove the folders at /sftp/<user>/ without un-mounting the binds, otherwise YOU'RE GOING TO LOOSE DATA. You can unmount with umount /sftp/user1/Documents for example and delete the specific fstab entry.


    Questions / Problems / Discussions
    Click here to get to the discussions thread

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!