Locking down SFTP

This is a small recipe to increase the security around a SFTP interface.

In the /etc/ssh/sshd_config file include the following settings:

Subsystem sftp internal-sftp

This configures the sftp subsystem to use the internal sftp implementation. This is because inside the chroot, we usually will not have the normal sftp-server executable.

For each user that will be doing sftp do:

Match User sftp-only-user-name
  ChrootDirectory /only/path
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no
  PermitTTY no

Alternative you could do Match Group and have multiple sftp-only users in the specified group.

The options are:

• ChrootDirectory /only/path : Note that this directory must have mode 0755 and be owned by root. If this is not the case, logins will fail with error:
  bad ownership or modes for chroot directory \
• ForceCommand internal-sftp : Only allow sftp. No other command will be allowed.
• X11Forwarding, AllowTcpForwarding, PermitTTY as no : These make sure that the remote user doesn't try to open holes at the SSH protocol levels.

References:

• https://www.baeldung.com/linux/openssh-internal-sftp-vs-sftp-server
• https://gist.github.com/kjellski/5940875
• https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component

Sftp icons created by Freepik - Flaticon