Hello,
I try to limitate the user access in sftp;
I 've defined a user like this:
TdPMC504:50::/home/TdPMC:/bin/bash
in /etc/ssh/sshd_config , i 've modified the orginal file to obtain this :
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
AllowGroups ftp
AllowUsers TdPMC
Match User TdPMC
ChrootDirectory /home/TdPMC
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
The connection doesn't work with filezilla :
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Erreur : Network error: Software caused connection abort
Erreur : Impossible d'établir une connexion au serveur
if i comment the line:
#ChrootDirectory /home/TdPMC
The connexion becomes ok:
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Erreur : Network error: Software caused connection abort
Erreur : Impossible d'établir une connexion au serveur
Statut : Connexion à PODR...
Réponse : fzSftp started
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Statut : Connected to PODR
Statut : Récupération du contenu du dossier...
Commande : pwd
Réponse : Current directory is: "/home/TdPMC"
Could-you help to resolve my problem ?
thanx
ChrootDirectory doesn't work for sftp user
Re: ChrootDirectory doesn't work for sftp user
Openssh sftp chrooting has very particular requirements about the permissions of the chroot directory. In my puppet setup I have this:
and in /etc/ssh/sshd_config
Code: Select all
file {"/sftp":
ensure => directory,
owner => root,
group => root,
mode => 755,
require => Group["sftponly"]
}
file {"/sftp/home":
ensure => directory,
owner => root,
group => root,
mode => 755,
require => File["/sftp"]
}
file {"/sftp/home/user":
ensure => directory,
owner => root,
group => sftponly,
seltype => user_home_dir_t,
mode => 755,
require => File["/sftp/home"]
}
file {"/sftp/home/user/writeabledir":
ensure => directory,
owner => user,
group => sftponly,
seltype => user_home_dir_t,
mode => 755,
require => File["/sftp/home/user"]
}
selboolean {"ssh_chroot_rw_homedirs":
name => "ssh_chroot_rw_homedirs",
persistent => true,
value => on,
require => Group["sftponly"]
}
Code: Select all
Match Group sftponly
ChrootDirectory /sftp/home/%u
ForceCommand internal-sftp
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: ChrootDirectory doesn't work for sftp user
thanks for your advices
I dont have puppet, so i do this:
[root@PODR /]# mkdir /sftp
[root@PODR /]# chmod 755 /sftp
[root@PODR /]# mkdir /sftp/home
[root@PODR /]# chmod 755 /sftp/home
[root@PODR /]# mkdir /sftp/home/TdPMC
[root@PODR /]# chown root:sftponly /sftp/home/TdPMC
[root@PODR /]# mkdir /sftp/home/TdPMC/writeabledir
[root@PODR /]# chown TdPMC:sftponly /sftp/home/TdPMC/writeabledir
I don't undestand in puppet setup that:
selboolean {"ssh_chroot_rw_homedirs":
name => "ssh_chroot_rw_homedirs",
persistent => true,
value => on,
require => Group["sftponly"]
}
I modify /etc/ssh/sshd_config like this :
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp internal-sftp
#AllowGroups ftp
#AllowUsers TdPMC
#Match User TdPMC
Match Group sftponly
ChrootDirectory /sftp/home/%u
ForceCommand internal-sftp
# X11Forwarding no
# AllowTcpForwarding no
I restart sshd by:
/etc/init.d/sshd restart
I've got always my problem
Thanks for all
I dont have puppet, so i do this:
[root@PODR /]# mkdir /sftp
[root@PODR /]# chmod 755 /sftp
[root@PODR /]# mkdir /sftp/home
[root@PODR /]# chmod 755 /sftp/home
[root@PODR /]# mkdir /sftp/home/TdPMC
[root@PODR /]# chown root:sftponly /sftp/home/TdPMC
[root@PODR /]# mkdir /sftp/home/TdPMC/writeabledir
[root@PODR /]# chown TdPMC:sftponly /sftp/home/TdPMC/writeabledir
I don't undestand in puppet setup that:
selboolean {"ssh_chroot_rw_homedirs":
name => "ssh_chroot_rw_homedirs",
persistent => true,
value => on,
require => Group["sftponly"]
}
I modify /etc/ssh/sshd_config like this :
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp internal-sftp
#AllowGroups ftp
#AllowUsers TdPMC
#Match User TdPMC
Match Group sftponly
ChrootDirectory /sftp/home/%u
ForceCommand internal-sftp
# X11Forwarding no
# AllowTcpForwarding no
I restart sshd by:
/etc/init.d/sshd restart
I've got always my problem
Thanks for all
Re: ChrootDirectory doesn't work for sftp user
Puppet's use of selboolean equates to the setsebool -P ssh_chroot_rw_homedirs 1 command.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: ChrootDirectory doesn't work for sftp user
I've got execute:
[root@PODR ~]# setsebool -P ssh_chroot_rw_homedirs 1
[root@PODR ~]# /etc/init.d/sshd restart
Arrêt de sshd : [ OK ]
Démarrage de sshd : [ OK ]
I've got the same errors :
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Erreur : Network error: Software caused connection abort
Erreur : Impossible d'établir une connexion au serveur
[root@PODR ~]# setsebool -P ssh_chroot_rw_homedirs 1
[root@PODR ~]# /etc/init.d/sshd restart
Arrêt de sshd : [ OK ]
Démarrage de sshd : [ OK ]
I've got the same errors :
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Erreur : Network error: Software caused connection abort
Erreur : Impossible d'établir une connexion au serveur
Re: ChrootDirectory doesn't work for sftp user
The /var/log/secure lists this :
[root@PODR ~]# tail -f /var/log/secure
Nov 10 17:09:57 PODR sshd[49585]: Server listening on :: port 22.
Nov 10 17:10:01 PODR sshd[50342]: warning: /etc/hosts.allow, line 7: missing ":" separator
Nov 10 17:10:01 PODR sshd[50342]: warning: /etc/hosts.allow, line 8: missing ":" separator
Nov 10 17:10:04 PODR sshd[50342]: Accepted password for TdPMC from 194.5.181.237 port 45292 ssh2
Nov 10 17:10:04 PODR sshd[50342]: pam_unix(sshd:session): session opened for user TdPMC by (uid=0)
Nov 10 17:10:04 PODR sshd[50961]: fatal: bad ownership or modes for chroot directory component "/"
Nov 10 17:10:04 PODR sshd[50342]: pam_unix(sshd:session): session closed for user TdPMC
Nov 10 17:11:12 PODR sshd[49585]: Received signal 15; terminating.
Nov 10 17:11:12 PODR sshd[64218]: Server listening on 0.0.0.0 port 22.
Nov 10 17:11:12 PODR sshd[64218]: Server listening on :: port 22.
Nov 10 17:11:26 PODR sshd[66918]: warning: /etc/hosts.allow, line 7: missing ":" separator
Nov 10 17:11:26 PODR sshd[66918]: warning: /etc/hosts.allow, line 8: missing ":" separator
Nov 10 17:11:32 PODR sshd[66918]: Accepted password for TdPMC from 194.5.181.237 port 45293 ssh2
Nov 10 17:11:32 PODR sshd[66918]: pam_unix(sshd:session): session opened for user TdPMC by (uid=0)
Nov 10 17:11:32 PODR sshd[68009]: fatal: bad ownership or modes for chroot directory component "/"
Nov 10 17:11:32 PODR sshd[66918]: pam_unix(sshd:session): session closed for user TdPMC
[root@PODR ~]# tail -f /var/log/secure
Nov 10 17:09:57 PODR sshd[49585]: Server listening on :: port 22.
Nov 10 17:10:01 PODR sshd[50342]: warning: /etc/hosts.allow, line 7: missing ":" separator
Nov 10 17:10:01 PODR sshd[50342]: warning: /etc/hosts.allow, line 8: missing ":" separator
Nov 10 17:10:04 PODR sshd[50342]: Accepted password for TdPMC from 194.5.181.237 port 45292 ssh2
Nov 10 17:10:04 PODR sshd[50342]: pam_unix(sshd:session): session opened for user TdPMC by (uid=0)
Nov 10 17:10:04 PODR sshd[50961]: fatal: bad ownership or modes for chroot directory component "/"
Nov 10 17:10:04 PODR sshd[50342]: pam_unix(sshd:session): session closed for user TdPMC
Nov 10 17:11:12 PODR sshd[49585]: Received signal 15; terminating.
Nov 10 17:11:12 PODR sshd[64218]: Server listening on 0.0.0.0 port 22.
Nov 10 17:11:12 PODR sshd[64218]: Server listening on :: port 22.
Nov 10 17:11:26 PODR sshd[66918]: warning: /etc/hosts.allow, line 7: missing ":" separator
Nov 10 17:11:26 PODR sshd[66918]: warning: /etc/hosts.allow, line 8: missing ":" separator
Nov 10 17:11:32 PODR sshd[66918]: Accepted password for TdPMC from 194.5.181.237 port 45293 ssh2
Nov 10 17:11:32 PODR sshd[66918]: pam_unix(sshd:session): session opened for user TdPMC by (uid=0)
Nov 10 17:11:32 PODR sshd[68009]: fatal: bad ownership or modes for chroot directory component "/"
Nov 10 17:11:32 PODR sshd[66918]: pam_unix(sshd:session): session closed for user TdPMC
Re: ChrootDirectory doesn't work for sftp user
Eureka !
It's resolved by
chown root:root /sftp/home/TdPMC
chmod 755 /
drwxr-xr-x. 3 root root 4096 10 nov. 15:00 /sftp/home/TdPMC
drwxr-xr-x. 3 root root 4096 10 nov. 14:59 /sftp/home
drwxr-xr-x. 3 root root 4096 10 nov. 14:59 /sftp
drwxr-xr-x. 30 root root 4096 14 nov. 07:49 /
Thanks for all
It's resolved by
chown root:root /sftp/home/TdPMC
chmod 755 /
drwxr-xr-x. 3 root root 4096 10 nov. 15:00 /sftp/home/TdPMC
drwxr-xr-x. 3 root root 4096 10 nov. 14:59 /sftp/home
drwxr-xr-x. 3 root root 4096 10 nov. 14:59 /sftp
drwxr-xr-x. 30 root root 4096 14 nov. 07:49 /
Thanks for all