0

I'm having problems setting up sftp with a ChrootDirectory. I've done an equivalent setup on other distros, but for some reason I cannot get it to work on a Redhat AMI.

The changes to my sshd_config file are:

Subsystem       sftp    internal-sftp

Match Group ftponly
      PasswordAuthentication yes
      X11Forwarding no
      ChrootDirectory %h
      ForceCommand internal-sftp
      AllowTcpForwarding no

I have the concerned usere's homes at /home/user, owned by root. After connecting with a user in the ftponly group, I'm dropped into / without permissions for anything, and am unable to do anything. 

sftp bob@localhost
Connecting to localhost...
bob@localhost's password: 
sftp> pwd
Remote working directory: /

I can connect normally with users not in the ftponly group.

openssh version 5.3

I've experimented with different permissions, as well as having users own their own home directory (gives a Write failed: Broken pipe error), and so far, nothing has seemed to work.

I'm sure it's a permissions error, or something equally as trivial, but at this point my eyes are beginning to glaze over, and any help would be greatly appreciated.

EDIT:

James and Madhatter, thanks for clarifying. I was confused by chroot dropping me in /... just didn't think through it properly. I've added the appropriate directories and permissions to get read access. One other key part was enabling write access to chrooted homes:

setsebool -P ssh_chroot_rw_homedirs on

in order to get write access. I think I'm all set now. Thanks for the help.

callwithcurrentconfusion
  • 25
  • 2
  • 5
  • Ummm, you say that you're chrooting the bob user to ./home/bob, which is owned by root, yes? In that case, aren't you seeing exactly what you'd expect? What's in `/home/bob` as far as root is concerned? And what's in `/` as far as the captive bob user is concerned? – MadHatter Nov 06 '12 at 20:52
  • Actually this is/was working correctly, the issue was that I needed to extend r/w permissions to /home/bob. Chmod 0755 did the trick. I had previously tried having bob, or the ftpusers group own /home/bob, but I guess you really have to have root own the file, but have r/w permissions for other users. – callwithcurrentconfusion Nov 06 '12 at 21:16

1 Answers1

1

ChrootDirectory %h will chroot the users home directory to /. I may be wrong but the reason that you can not do anything is because the necessary support files do not exist in the chroot jail. A quick search for configure ssh chroot brings me to this page http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229 where you make the necessary files available.

James Park-Watt
  • 358
  • 1
  • 8
  • With respect, I think you're wrong. The man page for `sshd_config` says that in the ChrootDirectory directive, "%h is replaced by the home directory of the user being authenticated", which in this case is `/home/bob`, no? – MadHatter Nov 06 '12 at 20:53
  • That's right you are only rephrasing what i am saying sorry if it didn’t come across right. You will never see /home/bob in your path because / IS /home/bob. – James Park-Watt Nov 06 '12 at 20:56
  • Ah, I see what you're saying; yes, I agree - a chroot'ed user will see their initial directory as /, whatever it really is to a non-chrooted user. Sorry! Have an upvote! – MadHatter Nov 06 '12 at 20:58