0

I set up a jail for a remote user under SSH (Cygwin), and he is jailed at /jail/user/home/user. When he connects with some SFTP client (ex: Filezilla), he can access his /home/user folder and control it, but also /dev folder too. In this folder, he can read, write, but not delete or download files.

There's something wrong with ChrootDirectory directive in sshd_config file?

jiyamesu
  • 1
  • 3
  • Did you add the command as part of a Match Group statement? If so, is your user part of the group? – Some Linux Nerd Sep 30 '14 at 21:19
  • I mainly add that because I just tried with my test user and totally forgot to add my "sftp" group as a supplemental group. – Some Linux Nerd Sep 30 '14 at 21:21
  • As an addition, I tested the following and it did not allow access to /dev. Match Group sftp ChrootDirectory /home/sftp/ AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp – Some Linux Nerd Sep 30 '14 at 21:22
  • Oh whoops, didn't see that you're using win2008. God only knows... – Some Linux Nerd Sep 30 '14 at 21:33
  • Yes, there's the `match` statement: `Match Group [GROUPNAME] ChrootDirectory /jail/%u ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no` The user is member of the group and can't view another folders, except `/dev`. I changed `ChrootDirectory` to `/home/[USER]`, but doesn't work too. This setting is at bottom of sshd_config file. The `X11Forwarding` directive can make some influence in this case? – jiyamesu Sep 30 '14 at 22:08
  • I recently tried setting up an sftp server using cygwin and found myself spending so much time trying to get it to work that I looked at other options. There are a couple of free ones, which I tried, but ended up buying the Bitvise server. It costs about the same as 2 or so hours of your time. But I can highly recommend it as it should work out cheaper if you count your time. Everything just works and works as you would expect it to work. I have no relation with Bitvise, other than that purchase. – Ian Murphy Oct 01 '14 at 14:39
  • I should add that I saw exactly the same problem you mention and never managed to restrict it. In this case I needed a restricted sftp server as it was going to be used to exchange sensitive files with 3rd parties. – Ian Murphy Oct 01 '14 at 14:42

0 Answers0