SFTP Chroot Ubuntu 10.10

Question

I'm trying to give an SFTP only access to his home directory to a user.

This is the /etc/passwd line for the user:

bob:x:1003:1003::/home/bob:/bin/false

I edited the /etc/ssh/sshd_config file like that:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Match user bob
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

Then I restart ssh: sudo service ssh restart

If I try sftp bob@myserver.com everything works well.

Then I try to Chroot bob to his home, so I add ChrootDirectory /home/bob in the right place:

Match user bob
            ChrootDirectory /home/bob
            AllowTcpForwarding no
            X11Forwarding no
            ForceCommand internal-sftp

I changed the permission to bob home:

drwxr-xr-x  3 root    root      4096 2014-02-27 13:13 bob

Now when I try sftp bob@myserver.com the answer is:

Write failed: Broken pipe
Connection closed

my OpenSSH version is 1:5.5p1-4ubuntu6

Where I'm wrong??? Where I can look to solve my problem???

EDIT: after a bit of debugging i found this error message:

bad ownership or modes for chroot directory component "/"

Ok resolved... error messages doesn't lie... The / directory was not owned by root but by another admin user (incredible...), so after `chown root.root /` everything works. THX to all!!! — bicccio, Feb 27 '14 at 14:51

Chris · Answer 1 · 2014-02-27T14:06:46.240

1

I think you just have to specify ChrootDirectory /home it will substitute to /home/bob automagically. Otherwise it is looking into /home/bob/bob

Edit: Also make sure that the chroot directory is owned by root and is not group writable. If you need to have a writable directory then you need to create a subfolder

chown root /home/bob
chmod go-w /home/bob
mkdir /home/bob/writeable
chown bob:sftponly /home/bob/writeable
chmod ug+rwX /home/bob/writeable

edited Feb 27 '14 at 14:06

answered Feb 27 '14 at 13:05

Chris

607
1
7
18

Thx @Chris for the answer, but nothing changes... – bicccio Feb 27 '14 at 13:14
probably you need to dig into some logfiles to see more details. /var/log/auth.log or similar – Chris Feb 27 '14 at 13:41

score 0 · Answer 2 · answered Feb 27 '14 at 14:05

man sshd_config

Specifies the pathname of a directory to chroot(2) to after authentication.  All components of the pathname must be root-owned directories that are not writable by any other user or group.

This works, because /home is owned by root and not writable by others users

Match user pippo
        ChrootDirectory /home
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

In this ways, that doesn't works, because ChrootDirectory /home/pippo is not owned by root and is writable by others users

Match user pippo
        ChrootDirectory /home/pippo
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

SFTP Chroot Ubuntu 10.10

2 Answers2

Linked