0

I'm trying to set up an SFTP server on AWS that multiple customers can use to upload data securely. It is important that they are not able to see the data of any other customer, and to do that I need to jail the directories with ChrootDirectory in

My sshd_config has the following:

Subsystem sftp internal-sftp
Match Group sftponly
        ChrootDirectory /home/chroot/ftptest/
        AllowTcpForwarding no
        ForceCommand internal-sftp

If I comment out the ChrootDirectory line everything works fine, except that you can see all the files on the system. I configured everything based off of the instructions here using vsftpd. I and am using ssh keys to control access to each of the customer accounts, as per Amazon's instructions. I am using the Amazon AMI.

Edit: I changed the chroot directory to /home/chroot/ftptest/ and created directories with the following permissions:

ls -ld / /home /home/chroot /home/chroot/ftptest/
dr-xr-xr-x 25 root    root    4096 Feb 23 03:28 /
drwxr-xr-x  6 root    root    4096 Feb 23 20:26 /home
drwx--x--x  3 root    root    4096 Feb 23 20:27 /home/chroot
drwxr-xr-x  2 ftptest ftptest 4096 Feb 23 20:27 /home/chroot/ftptest/

It's still not working. In /var/log/secure I see 

Authentication refused: bad ownership or modes for directory /home/ftptest

even though /home/ftptest isn't the directory I am trying to chroot to. Why would it be throwing an error for that directory? Could this be an issue with the ~/.ssh directory?

Community
  • 1
Jordan Bentley
  • 51
  • 5
  • 1
    So are you using `vsftpd` or `openssh` for `sftp` server? What package versions are you using? What are the [permissions on the chroot directory](http://serverfault.com/questions/730305/fatal-bad-ownership-or-modes-for-chroot-directory-component-in-sftp/730333#730333). What errors you can see? – Jakuje Feb 23 '17 at 07:46
  • @jakuje I thought I was using vsftpd, although I'm now noticing that if I stop the service I can still connect (as long as I'm not using Chroot). I'm using vsftpd 2.2.2. The permissions on the home directory are that it's owned by the user logging in, although I've also tried with it owned by root. – Jordan Bentley Feb 23 '17 at 15:20
  • @jakuje the error I get is "Broken transport; encountered EOF. The connection attempt was rejected. The server may be down, or your network may not be properly configured." – Jordan Bentley Feb 23 '17 at 15:20
  • The errors from server. – Jakuje Feb 23 '17 at 15:23
  • @jakuje I've updated the question with errors from the server. – Jordan Bentley Feb 23 '17 at 20:34
  • Possible duplicate of [fatal: bad ownership or modes for chroot directory component "/" in SFTP](http://serverfault.com/questions/730305/fatal-bad-ownership-or-modes-for-chroot-directory-component-in-sftp) – Jakuje Feb 23 '17 at 20:52
  • @jakuje that's not exactly what is happening here, it seems to be saying that I have a bad ownership mode for a directory that isn't in my chroot path. I've made sure that everything in my chroot path is root owned and not writeable by any other user or group. – Jordan Bentley Feb 23 '17 at 21:05
  • It is indeed the directory you are trying to chroot `ftptest` user according to the configuration you provided. `/home/%u` expands to `/home/ftptest`. – Jakuje Feb 24 '17 at 07:27
  • @jakuje sorry, I didn't make it clear that in the edit I changed the config to read "ChrootDirectory /home/chroot/ftptest/" and am still getting an error saying that it can't read /home/ftptest, even after I restarted the service. Could this be an issue with the ssh certificate? – Jordan Bentley Feb 24 '17 at 18:46

2 Answers2

0

the chroot directoy should be owned by root. but then you can create a folder underneath (e.g. files, upload) with permissions for your user.

olivierg
  • 524
  • 2
  • 8
  • 27
0

The "Match Group" section matches the users UNIX account group, so if ftptest isn't in the group sftponly or it doesn't exist add it:

# groupadd sftponly
# usermod -a -G sftponly ftptest

That should get it working, the problem is that if you add anyone else to that group, they all get the same folder, so if you want one user to get chroot'd, the easy way is to do something like

Match User ftptest
  ChrootDirectory /home/chroot/ftptest
  ForceCommand internal-sftp
  AllowTcpForwarding no

Now, ftptest connects and get their own folder. If you have lots of users, add them to group sftponly and use this config:

Match group sftponly
  ChrootDirectory /home/chroot/%u
  ForceCommand internal-sftp
  AllowTcpForwarding no

This will give all of them their own sandboxed folders (make sure you mkdir their folder and give it the correct permissions).

Logan
  • 66
  • 5