Chroot Jailing groups via sshd_config for FTP results in connection aborted for all members in that group

Question

I am attempting to chroot jail using the /etc/ssh/sshd_config file. My FTP server is vsfptd, and while I know how to chroot jail using vsftpd's config, I want to try it using sshd_config. However, modifying the sshd_config file as I am is preventing FTP connections for only the users I am trying to jail.

Verifying my SSH protocol version is higher than 5.0:

telnet <host> 22:
SSH-2.0-OpenSSH_5.3

Adding a user:

groupadd testgroup
useradd -d /home/testdir/testuser -g testgroup testuser
chown -R root:testgroup /home/testdir
chmod -R 775 /home/testdir

sshd_config file:

Subsystem sftp internal-sftp

Match group testgroup
ChrootDirectory /home/testdir/%u
ForceCommand internal-sftp
AllowTcpForwarding no

After restarted sshd and vsftpd:

service restart sshd
service restart vsftpd

My testuser recieves the following error while attempting to FTP in using Filezilla:

Status: Connecting to <host>...
Response:   fzSftp started
Command:    open "testuser@<host>" 22
Command:    Pass: ********
Error:  Network error: Software caused connection abort
Error:  Could not connect to server

If I create a new user on a different group, he can FTP in fine without this error. This leads me to conclude that my sshd_config file is not set up correctly.

@c4f4t0r Oh, I thought that vsftpd was a sftp server. I'll take a look into another one. — Matthew Moisen, Dec 10 '15 at 19:16
@c4f4t0r If I shut down vsftpd and attempt to ftp in with Filezilla, I receive the same error. — Matthew Moisen, Dec 10 '15 at 19:18
What can you find in server log? There should be note why the connection failed. I believe [this answer](http://serverfault.com/questions/730305/fatal-bad-ownership-or-modes-for-chroot-directory-component-in-sftp/730333#730333) will solve your problems. — Jakuje, Dec 10 '15 at 19:26

score 0 · Answer 1 · edited Apr 13 '17 at 12:22

0

SSH chrooting doens't work like vsftpd chroot. You need to have a basic system availible in your chroot directory. Please follow this guide to do it right:

http://allanfeid.com/content/creating-chroot-jail-ssh-access

If you only need SFTP, it's a bit easier to chroot users - follow this guide instead: https://wiki.archlinux.org/index.php/SFTP_chroot

Also be sure to check your user's directories for having the right permissions. More details in this answer.

edited Apr 13 '17 at 12:22

Community

1

answered Dec 10 '15 at 19:17

Anubioz

3,677
18
23

I saw that link yesterday. Do I have to copy the files over to the jailed directory like he recommends? – Matthew Moisen Dec 10 '15 at 19:20
that is not a true. If you are using `internal-sftp`, you don't need anything in `chroot` on reasonable system. – Jakuje Dec 10 '15 at 19:24

Chroot Jailing groups via sshd_config for FTP results in connection aborted for all members in that group

1 Answers1