SFTP Server Setup - Admin users

Question

On an AWS EC2 Linux box, I am creating a SFTP Server with folder structure using the script below -

/data                 (owner - root:root)
    └── /sftp         (owner - root:root)
        ├── /user1    (owner - user1:sftp_users)
        └── /user2    (owner - user2:sftp_users)

My Requirements are -

1. Users should be able to ssh into their own directories and manage files
2. Users should NOT be able to access files that do not belong to them. For example, user1 cannot access user2's files
3. Admin user should be able to ssh into the machine and manage files for all users.

Using the script below (that creates a sftp_users group and modifies the user folders permissions to 701), I am able to setup the sftp server such that the requirements 1 and 2 are satisfied. I am not a unix expert and trying to satisfy the 3rd requirement. Any examples or direction would help.

Thanks in advance.

echo "`date` Creating SFTP directory...."
mkdir -p /data/sftp

echo "`date` updating sshd_config"
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
echo 'Match Group sftp_users' >> /etc/ssh/sshd_config
echo 'ChrootDirectory /data/sftp' >> /etc/ssh/sshd_config
echo 'ForceCommand internal-sftp' >> /etc/ssh/sshd_config

echo "`date` Set permissions to 701 for all folders on the efs mount"
chmod -R 701 /data

echo "`date` Set owner to root:root for all folders on the efs mount"
chown -R root:root /data

echo "`date` adding sft_users group"
groupadd sftp_users

echo "`date` restarting sshd"
systemctl restart sshd

###### Below is my user creation script that I eventually use to create individual SFTP users ######
echo "`date` creating /usr/local/bin/create_sftp_user.sh"
echo -e '#!/bin/bash\n\nUSER_NAME=$1\nuseradd -g sftp_users -d /$USER_NAME -s /sbin/nologin $USER_NAME\n' > /usr/local/sbin/create_sftp_user.sh
echo -e 'passwd $USER_NAME\nmkdir -p /data/sftp/$USER_NAME\n' >> /usr/local/sbin/create_sftp_user.sh
echo -e 'chown $USER_NAME:sftp_users /data/sftp/$USER_NAME\n' >> /usr/local/sbin/create_sftp_user.sh
echo -e 'chmod 700 /data/sftp/$USER_NAME\n' >> /usr/local/sbin/create_sftp_user.sh
chmod +x /usr/local/sbin/create_sftp_user.sh

Answer 1

The setup I have is setting my admin user as a member each of my SFTP members' groups. For each SFTP user, create a unique user:group combo for that user, and give each user's directory ownership to the corresponding SFTP user/group. Your admin user should be able to access/view everything since they're included each of the SFTP users' groups, and each user will only be able to view their own home directory. Lastly, make sure to set each SFTP user's --shell to /bin/false to prevent SHELL access.

I have my authentication set up via SSH Keys. Add each user's public key to the authorized_keys

/var/sftp (admin:admin 0700)
        |
        |-/.ssh (admin:admin 0700)
        |     -/authroized_keys
        |
        |-/user1 (admin:admin 0755)
        |      |
        |      |-/uploads (user1:user1 0770)
        |      |-/.ssh 
        |            -/authorized_keys
        |
        |-/user2 (admin:admin 0755)
               |
               |-/uploads (user2:user2 0770)
               |-/.ssh 
                     -/authorized_keys

In my /etc/ssh/sshd_config, I have the following setup:

Match User ADMIN_USERNAME
  ChrootDirectory /var/sftp
  AuthenticationMethods publickey
  AuthroizedKeysFile /var/sftp/.ssh/authorized_keys
  ForceCommand internal-sftp
  OPTIONS...

Match Group SFTP_USER
  ChrootDirectory /var/sftp/%u
  AuthenticationMethods publickey
  AuthorizedKeysFile /var/sftp/%u/.ssh/authorized_keys
  ForceCommand internal-sftp
  OPTIONS...

Each SFTP user should have their home directory set the their respective /var/sftp/HOME. Only disadvantage to this set up is that a user can only be associated to 32 groups. If you have more than 32 SFTP users, you may need to find another method for your admin.

Since it is user data, I recommend using an encrypted EBS volume mounted to /var/sftp. If the instance fails, you'll still have your data, but also remember that EBS volumes are Availability Zone specific.