In one of our previous articles we demonstrated how to setup chrooted sftp accounts. You may have certain application users which need to connect to the sftp server to transfer files in an automated manner without manual intervention. An enterprise infrastructure may comprise of many scripts as well which might need to transfer files to the sftp server in an automated fashion without having the need to enter credentials. Configuration of password less authentication for chrooted sftp user accounts is similar to that of ssh user accounts but involves an additional step. In this article we will demonstrate how to setup passwordless authentication for a chrooted sftp user account. In order to make this post easy to follow for our readers and maintain continuity we will setup passwordless sftp authentication for the chrooted sftp user named sahil which we created in our earlier article where we explained the setting up of chrooted sftp users.

Step 1: Ensure destination user credentials are working
Before we setup passwordless authentication let’s first try to login to the server as the user sahil with it’s password to make sure that the user account is working and has been setup correctly.

[root@linuxnix ~]# sftp sahil@linuxnix
Connecting to linuxnix...
sahil@linuxnix's password:
sftp> ls
sftp> pwd
Remote working directory: /myhome
sftp> quit
[root@linuxnix ~]#

Step 2: Setup ssh keys for the source user
For the purpose of this demonstration we’ll be using a user account named nixuser as our source account from where we will login to the user sahil in a passwordless manner.

[root@linuxnix ~]# grep nixuser /etc/passwd
[root@linuxnix ~]#

Let’s generate the required ssh keys now.

[root@linuxnix ~]# sudo su - nixuser
[nixuser@linuxnix ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/nixuser/.ssh/id_dsa):
Created directory '/home/nixuser/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/nixuser/.ssh/id_dsa.
Your public key has been saved in /home/nixuser/.ssh/
The key fingerprint is:
9e:e1:5d:24:b2:5c:73:88:0d:c3:ef:56:f9:00:05:40 nixuser@linuxnix
The key's randomart image is:
+--[ DSA 1024]----+
| oE..o. |
| .=.. |
| o.*.o. |
| . +.=+ |
| S. ..o |
| o +o. . |
| +.. |
| |
| |
[nixuser@linuxnix ~]$ ls -l /home/nixuser/.ssh/
-rw-r--r--. 1 nixuser nixuser 606 Jul 21 22:50 /home/nixuser/.ssh/
[nixuser@linuxnix ~]$

Step 3: Create .ssh directory within the home directory of the destination user

[root@linuxnix ~]# cd /home/sahil/myhome/
[root@linuxnix myhome]# ls -l
total 0
[root@linuxnix myhome]# mkdir .ssh
[root@linuxnix myhome]# pwd
[root@linuxnix myhome]# ls -ld .ssh/
drwxr-sr-x. 2 root sahil 4096 Jul 21 22:52 .ssh/
[root@linuxnix myhome]# chmod 700 .ssh/
[root@linuxnix myhome]# ls -ld .ssh/
drwx--S---. 2 root sahil 4096 Jul 21 22:52 .ssh/
[root@linuxnix myhome]#

Step 4: Copy the public ssh key from the source user to the authorized_keys file of the destination user
We will now copy the public key file of the user nixuser to the authorized_keys keys file of the user sahil as shown below.

[root@linuxnix ~]# cd ~nixuser/.ssh/
[root@linuxnix .ssh]# scp linuxnix:/home/sahil/myhome/.ssh/authorized_keys
root@linuxnix's password: 100% 606 0.6KB/s 00:00
[root@linuxnix .ssh]#

Since I was aware that this is a new setup I simply copied the key file from the source system and renamed it as authorized_keys file on the destination system. In an existing setup in which a chrooted sftp user account already has some keys added in it’s authorized_keys file we would append the content of the new key into the authorized_keys file.

Step 5: Test the setup
We’ll now attempt to sftp to the system linuxnix as the user sahil

[nixuser@linuxnix ~]$ sftp sahil@linuxnix
Connecting to linuxnix...
The authenticity of host 'linuxnix (' can't be established.
RSA key fingerprint is da:ed:4d:82:00:5c:c4:58:3f:9e:bc:52:5b:23:82:fc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'linuxnix,' (RSA) to the list of known hosts.
sahil@linuxnix's password:
sftp> ls
sftp> pwd
Remote working directory: /myhome
sftp> quit

As you may have observed from the above command line output we were prompted for a password even though we had completed the passwordless sftp setup. The reason for this is the non-existence of the /myhome directory which is actually mentioned as the home directory for the user sahil in its /etc/passwd file entry.

[nixuser@linuxnix ~]$ ls -ld /myhome
ls: cannot access /myhome: No such file or directory
[nixuser@linuxnix ~]$

The workaround for this is to create a soft link as shown below.

[root@linuxnix ~]# ln -s /home/sahil/myhome/ /myhome
[root@linuxnix ~]# ls -l /myhome
lrwxrwxrwx. 1 root root 19 Jul 21 23:01 /myhome -> /home/sahil/myhome/
[root@linuxnix ~]# ls -ld /home/sahil/myhome/
drwxrwsr-x. 3 sahil sahil 4096 Jul 21 23:01 /home/sahil/myhome/
[root@linuxnix ~]#

Now if we try to perform a passwordless sftp login as the user sahil it will work.

[nixuser@linuxnix ~]$ sftp sahil@linuxnix
Connecting to linuxnix...
sftp> pwd
Remote working directory: /myhome
sftp> ls
sftp> quit
[nixuser@linuxnix ~]$



This concludes our demonstration of setting up passwordless sftp authentication when the user account is setup as a chrooted user. We hope that you’ve found the article to be useful and we look forward towards your feedback and suggestions.

The following two tabs change content below.

Sahil Suri

He started his career in IT in 2011 as a system administrator. He has since worked with HP-UX, Solaris and Linux operating systems along with exposure to high availability and virtualization solutions. He has a keen interest in shell, Python and Perl scripting and is learning the ropes on AWS cloud, DevOps tools, and methodologies. He enjoys sharing the knowledge he's gained over the years with the rest of the community.