6

I've been trying to configure sftp in a debian server.sshd_config:

Subsystem sftp internal-sftp

UsePAM no

Match User sftpUser
ChrootDirectory /users/sftp/sftpUser
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

Directories:

 drwxr-xr-x   3 root      root      4096 Oct 20 10:59 users

 drwxr-xr-x   3 root      root      4096 Oct 20 11:00 sftp

 drwxr-xr-x   2 root      root      4096 Oct 20 11:00 sftpUser

cat /var/log/auth.log

Oct 20 10:58:22 w1 sshd[24634]: Accepted password for sftpUser from 201.156.103.213 port 34106 ssh2
Oct 20 10:58:22 w1 sshd[24636]: fatal: bad ownership or modes for chroot directory component "/"

sftpUser no home, bin/falseand member of user group.

In the client side I'm getting the famous Write failed: Broken pipe and then the connection is dropped. Commenting the ChrootDirectorycommand in sshd_config makes the connection, but get's the user loose.

What am I doing wrong ?

Luis M. Valenzuela
  • 107
  • 1
  • 1
  • 9

1 Answers1

13

Using ChrootDirectory option in sshd_config requires some basic understanding of written text.

This is snapshot from manual page for sshd_config(5):

ChrootDirectory

Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

This is your error log:

fatal: bad ownership or modes for chroot directory component "/"

This means that you need to make sure to fulfil the emphasised part of the quote: Your / need to be owned by root and has w acl only for the owner.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • this is users directory. How does root directory look like, as proposed in comments? `ls -ld /` – Jakuje Oct 20 '15 at 17:34
  • 2
    With your answer combined with the comment provided by Michael Hampton the problem was solved. It seems that the root (/) directory was owned by another user different from root. Corrected it whith: `chown root:root /` – Luis M. Valenzuela Oct 20 '15 at 17:42
  • 1
    If this answer worked for you, please mark it as a solution so it can help the others. – Jakuje Oct 20 '15 at 18:01
  • 2
    I want to clarify, that `/` means *"directory that becomes / for chrooted user"* – Kondybas Jun 11 '17 at 19:33
  • @Kondybas No. In this case, the `/` is really `/` of filesystem which has the wrong permissions. But the error can look different way if you have the permissions wrong somewhere else. – Jakuje Jun 11 '17 at 19:35
  • 1
    @Jakuje It's obvious that real `/` can become owned by non-root user only by mistake or (way more likely) by misunderstanding of chroot manuals. – Kondybas Jun 11 '17 at 19:41
  • @Kondybas as you can read in the question comments, the mistake really happened and the `/` was really owned by user `suzukiweb` (which is obviously wrong). – Jakuje Jun 11 '17 at 19:42