0

I migrated a server a while back and it's been working fine, even the chrooted SSH accounts. The client just noticed however than on those the SFTP doesn't work :

Error:  Received unexpected end-of-file from SFTP server
Error:  Could not connect to server

The old server was a debian 7 and the new one is debian 8, so I assume some of the binaries in the chroot aren't working anymore (gcc 3 --> 4 problem), but that doesn't seem to be a problem for the chrooted ssh which does work fine. I noticed that if I add a "ForceCommand sftp-internal" in the Match bloc for the user, SFTP works fine. But ofcourse that breaks the ssh. The subsystem used for SFTP is /usr/lib/openssh/sftp-server, I tried switching to "sftp-internal" with no success, even worse that breaks sftp for non-chrooted accounts.

Any idea ? Running sshd in DEBUG doesn't output any error when trying to log in from an SFTP client.

TL;DR :

SSH into chrooted or non-chrooted accounts : OK
SFTP into non-chrooted account : OK
SFTP into chrooted account : NOK

Thanks

EDIT :

The chroot is defined like this :

Match User some_user
ChrootDirectory /ha.0/some_user

And that directory contains a filesystem with everything needed, bash, some libs ..

EDIT 2 : Complete ssh config

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp sftp-internal

UsePAM yes

AllowUsers ...

AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2

Match User some_user
ChrootDirectory /ha.0/some_user
Ulrar
  • 387
  • 6
  • 23
  • 1
    For starters, perhaps you could share some details on how the chroot is setup/defined, what extra sshd and user config you have in place, etc? – andol Dec 28 '16 at 12:33
  • I added that but nothing fancy, pretty standard chroot – Ulrar Dec 28 '16 at 12:46
  • Isn't it `internal-sftp` rather than `sftp-internal`? Overall, I expect the problem is that when you're not using the internal SFTP subsystem your problem is missing files for the sftp service inside the chroot. – Håkan Lindqvist Dec 28 '16 at 12:54
  • I don't think the file are missing, I think they just aren't valid for debian 8 since the libc wasn't compiled with the same flags. Since ForceCommand works the ideal would be to be able to use the internal one just for those users, is there a way to do that ? Adding the subsystem option inside a match block doesn't seem to be valid .. – Ulrar Dec 28 '16 at 13:09
  • 1. Post your configuration that does not work in `sshd_config`. 2) What errors are in the server logs? 3) Do you have [correct permissions](http://serverfault.com/questions/730305/fatal-bad-ownership-or-modes-for-chroot-directory-component-in-sftp/730333#730333) on `chroot` path? – Jakuje Dec 28 '16 at 18:04
  • I added the complete config. No error in the logs even in DEBUG. Yes, the permissions are valid (the chrooted / is root:root, the rest is to the user) and chrooted ssh does work fine, only SFTP doesn't. – Ulrar Dec 29 '16 at 10:13

0 Answers0