Secure FTP with chroot jail on OpenWRT

I am happy user of vsftpd that gives me necessery features but encryption. I was trying to replace existing approach but did not succeed. Here comes the story.

OpenWRT is specific platform, which does not give that much flexibility as typical Linux. Having this in my mind I was searching for a solution that would allow multiple users access isolated directories, called chroot jail in fact, of my home storage in more secure way. FTP sends all data clear text and I wanted at least user/password encryption.

First I have tested SFTP (openssh-sftp-server package). It works similar as vsftpd using Unix users and file permissions. It relies on SSH transport so I could disable unnecessary FTP ports. Unfortunatelly this SFTP does not restrict user from accessing whole file system starting from root. I agree that SFTP allows read-only access above home directory but it is too much for untrusted FTP users.

I was trying to armor SFTP with chroot jail solutions likeĀ RSSH or scponly. RSSH configuration was quite straightforward for OpenWRT: rssh had to be registered in /etc/shells and users, umasks and chroot directories configured in single /etc/rssh.conf file. However I could not make WinSCP in SFTP mode working with SFTP/RSSH altogether. Googling for solution unsuccessfully I jumped to scponly approach. This time again I could not make WinSCP working even using SCP only :]

Then, in kind of amok I falled into PureFTP with its TLS support, installed and configure it. I slightly overlooked difference between SFTP and FTPS. First one is FTP over SSH and second one is FTP with SSL, which is supported by PureFTP. As you can expect, this time again, WinSCP could not make my day.

Hour later I was sure I have good enough solution today. I copy my sensitive data to server using SCP anyway, and my FTP users, even chatting with server in clear text, they are isolated so that potential intruder is able to mess only with temporarily exchanged FTP files.

This entry was posted in OpenWRT. Bookmark the permalink.

Leave a Reply

Your email address will not be published.