Netsol-NOS
asked on
How-To secure SFTP using chroot with AD authentication
I am try to isolate sftp (SSH) folder from other OS directories using chroot. I am using CentOS 8 and its part of Active Directory. I have used it with local/OS accounts and its working fine but when I try to use sssd and ssh using AD users/groups its not working. Configuration files are listed below.
sssd.conf
/etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com
[domain/example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /ftphome/ftpdata/%u@%d
ad_domain = example.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = users@example.com
/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group users@example.com,
ChrootDirectory /ftphome/ftpdata/%u
ForceCommand internal-sftp
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
I have followed different solutions that are posted on different forums but none of them worked for securing sFTP using chroot with AD integration.
Any help would be appreciated.
sssd.conf
/etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com
[domain/example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /ftphome/ftpdata/%u@%d
ad_domain = example.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = users@example.com
/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group users@example.com,
ChrootDirectory /ftphome/ftpdata/%u
ForceCommand internal-sftp
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
I have followed different solutions that are posted on different forums but none of them worked for securing sFTP using chroot with AD integration.
Any help would be appreciated.
ASKER
Thanks for your response.
MySecureShell is not supported on CentOS 8 and we also tried scp only but that also didn't work.
MySecureShell is not supported on CentOS 8 and we also tried scp only but that also didn't work.
the server ( or if not possible the client's ) logs would help, together with an error message or description of what happens.
both the clients and server can be set to log errors verbosely on screen by adding -d -d -d during invocation.
scp cannot work unless your chroot contains the required regular commands such as ls, mv, ...
it will not work unless the chroot directory exists and the user has read and execute privileges on that dir.
both the clients and server can be set to log errors verbosely on screen by adding -d -d -d during invocation.
scp cannot work unless your chroot contains the required regular commands such as ls, mv, ...
it will not work unless the chroot directory exists and the user has read and execute privileges on that dir.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://www.unixmen.com/install-mysecureshell-sftp-server-in-linux/ provides installation instructions for CentOS 8 + MySecureShell.
thanks for sharing your findings.
Just run sftp-verif to fix any problem.
Then, you'll plumb together your AD instance + Linux instance.
Said differently, SFTP should work with new consideration of any AD/Linux integration config policies.