Chrooted ssh user cannot ssh into server : broken pipe

Question

I just tried the following to add a new user, chroot the user and give him access to the folder /home/me/public_html via sftp and ssh :

##the following command are done by root or a sudo user
useradd <username>
##add password for new user
passwd <username>
## add user to sudo group which could be wheel or sudo depending on your setup
usermod -G wheel <username>
##add user to apache as the public html folder is part of that group
usermod -G apache <username>
##Edit sshd_config to chroot the user. Path here below is on Centos or Redhat and with nano editor up and running
nano /etc/ssh/sshd_config 

##add the end of the file add
Match User <username>
    ChrootDirectory /path/of/choice

    ForceCommand internal-sftp
## control X and save
service sshd restart

in sshd_config I have now

Match User <username>

    ChrootDirectory /home/me/public_html

ForceCommand internal-sftp has been removed as line as there is no need to not allow SSH access based upon common made here below.

When I try to log in now I see

ssh <username>@domain.com
debug1: Next authentication method: password
<username>@domain.com's password: 
debug1: Authentication succeeded (password).
Authenticated to domain.com ([xx.xxx.xx.xxx]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe

Using SFTP in the log I see

Trace:  Sent password
Trace:  Access granted
Trace:  Connection reset by peer
Error:  Connection reset by peer
Error:  Could not connect to server

I don't think you quite understand how this all works. You ask a question and get answers to that question. Changing the question mid flow really doesn't help anyone. Your problem is you're not reading the documentation - honestly it's there for a reason. — user9517, Jun 19 '14 at 08:22
I am using chroot for the first time and am pretty new to server admin business, yes. Why would I otherwise bother asking questions like these. I am trying to figure this out and have been working on adding users, adding them to groups and implementing chroot because I do not want the new user to access all for the last 2 hours. So yes, I do not get it all. But I am not just punching some code. I read and learn as much as I can and I ask for help to move on. The answer given was appreciated. — rhand, Jun 19 '14 at 08:28
Well, the important thing to learn when doing something new is to read the documentation. I can't stress that enough. — user9517, Jun 19 '14 at 08:31
@Iain reading the documentation is great. understanding the documentation isn't as easy for some. perhaps you could *point out* some key areas. — frumbert, Mar 22 '16 at 23:36
@frumbert I nolonger provide Reading Manuals as a Service. If you look at mu answer I did at the time though. — user9517, Mar 23 '16 at 06:53

user9517 · Answer 1 · 2014-06-19T08:02:40.993

2

ForceCommand internal-sftp

You won't be able to ssh into the system if you are forcing internal-sftp.

You likely have other configuration problems too for instance I expect you're not meeting the file user:group ownership requirements - from the documentation ...

ChrootDirectory Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user’s home directory.

edited Jun 19 '14 at 08:02

answered Jun 19 '14 at 07:53

user9517

115,471
20
215
297

commenting out that line `ForceCommand internal-sftp` in sshd_config and restarting did not help nor did SFTP work before that. – rhand Jun 19 '14 at 07:57
1

Then you have more problems, most likely you forgot to make /home/me/public_html owned by root with group root. – user9517 Jun 19 '14 at 07:58
the public_html folder I want to give the user access to is owned by apache and I added that user to it. I wonder why it should be owned by root? It is owned by another user now, but in the group apache and chmod 755. Even with 775 / `drwxrwxr-x 2 me apache 4096 Jun 18 17:42 public_html` no joy – rhand Jun 19 '14 at 08:03
1

Please read the documentation it contains important information that you need to know and address. – user9517 Jun 19 '14 at 08:05

score 2 · Accepted Answer · answered Jun 19 '14 at 13:24

Setting up chroot for general SSH access is a lot more difficult than setting up chroot for just SFTP. The "internal-sftp" feature doesn't require the SSH server to launch any external programs, so the chroot environment doesn't have to support running external programs. To provide general SSH access, you have to configure the chroot environment with additional files to let it launch external programs.

The details of setting up a chroot environment depend on the specific operating system that you're running. Here are several example pages which should give you an idea what needs to be done.

http://allanfeid.com/content/creating-chroot-jail-ssh-access
http://wiki.gentoo.org/wiki/Chroot (Gentoo Linux)
https://www.gentoo.org/proj/en/base/x86/chroot.xml (Gentoo again)
http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
https://help.ubuntu.com/community/BasicChroot (Ubuntu)

I made /var/www/ root:root (folder above public folder) and /var/www/html user:apache and I made progress. Just as you mentioned I miss some essential files why external programs like SSH do not function. That is why I had the error `/bin/bash: No such file or directory` Sure I will work these out based upon your firstly added link. Thanks! — rhand, Jun 22 '14 at 12:51

Chrooted ssh user cannot ssh into server : broken pipe

2 Answers2