Setup SFTP with no SSH

How to Setup Chroot SFTP in Linux

(Allow Only SFTP, not SSH)

Chroot SFTP Environment

In the following example, john can sftp to the system, and view only the directory that you’ve designated for john to perform sftp (i.e /incoming).

When john tries to perform ‘cd /etc’, it will give an error message. Since SFTP is setup in an chroot environment, john cannot view any other files in the system.

# sftp john@thegeekstuff.com

john@thegeekstuff's password:

sftp> pwd

Remote working directory: /home/john

sftp> ls

sftp> cd /etc

Couldn't canonicalise: No such file or directory

Now that you know what Chroot SFTP environment is, let us see how to set this up.

1. Create a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

2. Create Users (or Modify Existing User)

Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).

# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser

# passwd guestuser

Verify that the user got created properly.

# grep guestuser /etc/passwd

guestuser:x:500:500::/incoming:/sbin/nologin

If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:

# usermod -g sftpusers -d /incoming -s /sbin/nologin john

On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.

3. Setup sftp-server Subsystem in sshd_config

You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).

Modify the the /etc/ssh/sshd_config file and comment out the following line:

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file

Subsystem       sftp    internal-sftp

# grep sftp /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp    internal-sftp

4. Specify Chroot Directory for a Group

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

# tail /etc/ssh/sshd_config

Match Group sftpusers

        ChrootDirectory /sftp/%u

        ForceCommand internal-sftp

In the above:

§  Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers

§  ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.

§  ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

5. Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).

# mkdir /sftp

Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.

# mkdir /sftp/guestuser

So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.

So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.

# mkdir /sftp/guestuser/incoming

6. Setup Appropriate Permission

For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

Set the owenership to the user, and group to the sftpusers group as shown below.

# chown guestuser:sftpusers /sftp/guestuser/incoming

The permission will look like the following for the incoming directory.

# ls -ld /sftp/guestuser/incoming

drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming

The permission will look like the following for the /sftp/guestuser directory

# ls -ld /sftp/guestuser

drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

# ls -ld /sftp

drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp

7. Restart sshd and Test Chroot SFTP

Restart sshd:

# service sshd restart

Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.

# sftp guestuser@thegeekstuff.com

guestuser@thegeekstuff's password:

sftp> pwd

Remote working directory: /incoming

sftp> cd /

sftp> ls

incoming

When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.

Change the bonding mode in Linux

How to change the bonding mode without rebooting the system?

Resolution

In Red Hat Enterprise Linux 5 or 6, the bonding mode can be changed like this:

Here is an example about how to change bonding mode from 0 to 1 in RHEL5 or 6:

1. Find current bonding mode:

#cd /sys/class/net/bond0/bonding

#cat mode

 balance-rr   0              

The current bonding mode is round-robin.

2. Change the bonding mode:

#ifdown bond0

#echo 1 >mode

#cat mode

active-backup 1

Now the bonding mode has been changed to active-backup.

3. Up the bond0 again:

#ifup bond0

4. Check if the bonding mode has been changed:

#cat /proc/net/bonding/bond0

In Red Hat Enterprise Linux 4, the bonding mode can be changed like this:

Here is an example about how to change bonding mode from 0 to 1 in RHEL4:

1. Find current bonding mode:

# cat /proc/net/bonding/bond0

...

Bonding mode: round-robin

The  current bonding mode is round-robin.

2. Down all bonding information and change the bonding mode:

# ifdown bond0

(down other bonding interfaces if you have)

# rmmod bonding

- Edit /etc/modprobe.conf to change the bonding options (the line should look like the following)
options bonding mode=0 miimon=100
- This can be changed to:
options bonding mode=1 miimon=100

3. Up the bond0 (and other bonding interface) again. The bonding module will be reloaded automatically:

# ifup bond0

4. Check if the bonding mode has been changed:

#cat /proc/net/bonding/bond0

Basic Linux commands

BASIC LINUX COMMANDS

>> To check the present working directory

 [root@database ~]# pwd
/root

>> To show the contents of a directory (folder)

[root@database ~]# ls
3145.zip  args1    database_notes  Documents   ifcfg-eth1_March25  linux_image.iso  names         phonenubers  uln_migrate             uln_register.tar
args      BegPerl  Desktop         hello2.plx  index.html.1        mbox             oradiag_root  scripts   

>> To see more details including the permission regarding the contents of a directory (folder)

[[root@database ~]# ls -l
total 3511620
-rw-r--r--  1 root   root       422670 Dec 30 10:29 3145.zip
-rwxr--r--  1 root   root          105 Apr  8 21:45 args
-rwxr--r--  1 root   root           32 Apr  8 21:51 args1
drwxr-xr-x 17 root   root         4096 Dec 30 10:31 BegPerl
-rw-r--r--  1 root   root         5022 Jan  5 09:55 database_notes
drwxr-xr-x  3 root   root         4096 Mar 25 04:45 Desktop
drwx------  3 root   root         4096 Mar 30 21:33 Documents

>> To see all contents including hidden files of a directory (folder)

[root@database ~]# ls -a
.              .bashrc         .eggcups         .gstreamer-0.10     mbox                 scripts                 uln_register.tar             .xauthgXJKsS
..             BegPerl         .elinks          .gtkrc-1.2-gnome2   .metacity            .sqldeveloper           .vboxclient-clipboard.pid    .xauthixsRh6


>> To see tree structure of nested directories

[root@database ~]# ls -R /opt
/opt:
ORCLfmap
sqldeveloper
sun
VBoxGuestAdditions-4.2.6

/opt/ORCLfmap:
prot1_32

/opt/ORCLfmap/prot1_32:
bin
etc
log

/opt/ORCLfmap/prot1_32/bin:
Fmputl

>> To see a file starting from f

[root@database ~]# ls f*

>> To see a file have a middle string as disk

[root@database ~]# ls /bin/*disk*

>> To see a file whose length is 3 charaters

[root@database ~]# ls ???

>> To see a file which starts with single char & ends up with any number of character

[root@database ~]# ls ?edh*

>> To create a file
[root@database ~]# cat > file1

>>  To see file content
[root@database ~]# cat file1


>> To append a file

[root@database ~]  cat >> file1

[root@database ~] cat file1 file2 >> file3 #redirecting output to file3

[root@database ~] cat file3

>>  To create a file using touch command

[root@database ~]# touch f1 f2 f3 f4

[root@database ~]# ls

>>  Creating a single directory

[root@database ~]# mkdir dir

>> Creating multiple directories

[root@database ~]# mkdir dir1 dir2 dir3 dir4

[root@database ~]# ls

anaconda-ks.cfg  dir   dir2  dir4  f2  f4     file2  install.log     
labmanual
Desktop          dir1  dir3  f1    f3  file1  file3  install.log.syslog

>>  To create nested directories

[root@database ~]# mkdir -p d1/d2/d3/d4

>> To see the tree structure

[root@database ~]# ls -R d1
d1:
d2

d1/d2:
d3

d1/d2/d3:
d4

d1/d2/d3/d4:

>> To change a directory

[root@database ~]# cd dir1

[root@database ~]# cd ..

[root@database ~]# cd ../..

[root@database ~]# cd -
/root

[root@database ~]# pwd
/root

[root@database ~]# cd

[root@database ~]# pwd
/root

[root@database ~]#

13. To remove files

[root@database ~]# rm file1

rm: remove regular file `file1'? y

14. To remove an empty directory

[root@database ~]# rmdir dir1

[root@database ~]# ls
anaconda-ks.cfg  Desktop  dir2  dir4  f2  f4     file3        install.log.syslog
d1               dir      dir3  f1    f3  file2  install.log  labmanual

15. To remove a directory
[root@database ~]# rm -rf dir

[root@database ~]# ls
anaconda-ks.cfg  Desktop  dir3  f1  f3  file2  install.log         labmanual
d1               dir2     dir4  f2  f4  file3  install.log.syslog

To copy files

[root@database ~]# cp anaconda-ks.cfg file1

To copy folders

[root@database ~]# cp -r dir2 Desktop

To rename  directories and files

[root@database ~]# mv dir3 d4


[root@database ~]# ls
anaconda-ks.cfg  d4       dir2  f1  f3  file1  file3        install.log.syslog
d1               Desktop  dir4  f2  f4  file2  install.log  labmanual

To move directories and files

[root@database ~]# mv dir2 /opt

[root@database ~]# ls
anaconda-ks.cfg  d4       dir4  f2  f4     file2  install.log         labmanual
d1               Desktop  f1    f3  file1  file3  install.log.syslog


[root@database ~]# cd /opt

[root@database ~]#  ls
dir2

To search a word from single or multiple file’s

[root@database ~]# grep tom  /etc/passwd /etc/group /etc/gshadow

/etc/passwd:tom:x:500:500::/home/tom:/bin/bash
/etc/group:tom:x:500:
/etc/gshadow:tom:!::

[root@database ~]# cat /etc/passwd | grep tom

To see the type of file

[root@database ~]# file *

To view the date

[root@database ~]# date

[root@database ~]# date -s "07/15/2008 00:06:00 "
 mm/dd/yyyy hh:mm:ss
Tue Jul 15 00:06:00 EDT 2008

[root@database ~]# cal

[root@database ~]# cal 12 2008

[root@database ~]# man mkdir

[root@database ~]# man cal

To see the content screen wise

[root@database ~]# ls -l /bin  | less


Visual Interface (VI)


Commands to Go into Insert mode

To open a file use vi

e.g.
# vi test.txt

i   -  inserts the text at current cursor position
I   -  inserts the text at  beginning of line
a   -  appends the text after current cursor position
A   -  appends the text at end of line
o   -  inserts a line below current cursor position
O   -  inserts a line above current cursor position
r   -  replace a single char at current cursor position

Commands at execute mode

:q -  quit without saving
:q!   -  quit forcefully without saving
:w   -  save
:wq   -  save & quit
:wq! -  save & quit  forcefully
:x -  save & quit
:sh -  Provides temporary shell
:se nu -  Setting line numbers
:se nonu -  Removing line numbers
:84   -  Press enter goes to line 84

>> To move the cursor, press the h,j,k,l keys as indicated.   
             ^
             k              Hint:  The h key is at the left and moves left.
       < h       l >               The l key is at the right and moves right.
             j                     The j key looks like a down arrow
             v

w forward   word to word
b     back side word to word

>> Command's at command mode

dd   -  Deletes a line
2dd   -  Deletes 2 lines
yy   -  Copy a line
2yy   -  Copies 2 lines
p -  put  (deleted or copied text)
u -  Undo (can undo 1000 times)
Ctrl+r -  Redo
G - Moves cursor to last line of file
5G - Moves cursor to 5th line of file
Shift+ZZ -  save & quit
/ -  locate word


>> To find and replace words
:1,$s///gc

e.g.
:1,$s/world/universe/gc

1-- To start the search at from 1st line
$ -> End of File
s -> substitute
g -> global
c -> confirmation

>> To power off machine

# poweroff