ChrootDirectory doesn't work for sftp user

General support questions
Post Reply
niepce
Posts: 5
Joined: 2017/11/08 15:38:14

ChrootDirectory doesn't work for sftp user

Post by niepce » 2017/11/08 15:51:04

Hello,

I try to limitate the user access in sftp;
I 've defined a user like this:
TdPMC:x:504:50::/home/TdPMC:/bin/bash

in /etc/ssh/sshd_config , i 've modified the orginal file to obtain this :
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
AllowGroups ftp
AllowUsers TdPMC
Match User TdPMC
ChrootDirectory /home/TdPMC
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no


The connection doesn't work with filezilla :
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Erreur : Network error: Software caused connection abort
Erreur : Impossible d'établir une connexion au serveur

if i comment the line:
#ChrootDirectory /home/TdPMC
The connexion becomes ok:
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Erreur : Network error: Software caused connection abort
Erreur : Impossible d'établir une connexion au serveur
Statut : Connexion à PODR...
Réponse : fzSftp started
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Statut : Connected to PODR
Statut : Récupération du contenu du dossier...
Commande : pwd
Réponse : Current directory is: "/home/TdPMC"

Could-you help to resolve my problem ?
thanx

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ChrootDirectory doesn't work for sftp user

Post by TrevorH » 2017/11/08 16:10:07

Openssh sftp chrooting has very particular requirements about the permissions of the chroot directory. In my puppet setup I have this:

Code: Select all

        file {"/sftp":
                ensure  => directory,
                owner   => root,
                group   => root,
                mode    => 755,
                require => Group["sftponly"]
                }
        file {"/sftp/home":
                ensure  => directory,
                owner   => root,
                group   => root,
                mode    => 755,
                require => File["/sftp"]
                }
        file {"/sftp/home/user":
                ensure  => directory,
                owner   => root,
                group   => sftponly,
                seltype => user_home_dir_t,
                mode    => 755,
                require => File["/sftp/home"]
                }
         file {"/sftp/home/user/writeabledir":
                ensure  => directory,
                owner   => user,
                group   => sftponly,
                seltype => user_home_dir_t,
                mode    => 755,
                require => File["/sftp/home/user"]
                }
        selboolean {"ssh_chroot_rw_homedirs":
                name    => "ssh_chroot_rw_homedirs",
                persistent      => true,
                value   => on,
                require => Group["sftponly"]
                }
and in /etc/ssh/sshd_config

Code: Select all

Match Group sftponly
        ChrootDirectory /sftp/home/%u
        ForceCommand internal-sftp
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

niepce
Posts: 5
Joined: 2017/11/08 15:38:14

Re: ChrootDirectory doesn't work for sftp user

Post by niepce » 2017/11/10 14:11:34

thanks for your advices
I dont have puppet, so i do this:
[root@PODR /]# mkdir /sftp
[root@PODR /]# chmod 755 /sftp
[root@PODR /]# mkdir /sftp/home
[root@PODR /]# chmod 755 /sftp/home
[root@PODR /]# mkdir /sftp/home/TdPMC
[root@PODR /]# chown root:sftponly /sftp/home/TdPMC
[root@PODR /]# mkdir /sftp/home/TdPMC/writeabledir
[root@PODR /]# chown TdPMC:sftponly /sftp/home/TdPMC/writeabledir

I don't undestand in puppet setup that:
selboolean {"ssh_chroot_rw_homedirs":
name => "ssh_chroot_rw_homedirs",
persistent => true,
value => on,
require => Group["sftponly"]
}

I modify /etc/ssh/sshd_config like this :
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp internal-sftp
#AllowGroups ftp
#AllowUsers TdPMC
#Match User TdPMC
Match Group sftponly
ChrootDirectory /sftp/home/%u
ForceCommand internal-sftp
# X11Forwarding no
# AllowTcpForwarding no

I restart sshd by:
/etc/init.d/sshd restart
I've got always my problem

Thanks for all

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ChrootDirectory doesn't work for sftp user

Post by TrevorH » 2017/11/10 15:01:24

Puppet's use of selboolean equates to the setsebool -P ssh_chroot_rw_homedirs 1 command.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

niepce
Posts: 5
Joined: 2017/11/08 15:38:14

Re: ChrootDirectory doesn't work for sftp user

Post by niepce » 2017/11/10 15:33:03

I've got execute:
[root@PODR ~]# setsebool -P ssh_chroot_rw_homedirs 1
[root@PODR ~]# /etc/init.d/sshd restart
Arrêt de sshd : [ OK ]
Démarrage de sshd : [ OK ]

I've got the same errors :
Commande : open "TdPMC@PODR" 22
Commande : Approbation de la nouvelle clé de l'hôte : Une seule fois
Commande : Pass: *****
Erreur : Network error: Software caused connection abort
Erreur : Impossible d'établir une connexion au serveur

niepce
Posts: 5
Joined: 2017/11/08 15:38:14

Re: ChrootDirectory doesn't work for sftp user

Post by niepce » 2017/11/10 16:12:35

The /var/log/secure lists this :
[root@PODR ~]# tail -f /var/log/secure
Nov 10 17:09:57 PODR sshd[49585]: Server listening on :: port 22.
Nov 10 17:10:01 PODR sshd[50342]: warning: /etc/hosts.allow, line 7: missing ":" separator
Nov 10 17:10:01 PODR sshd[50342]: warning: /etc/hosts.allow, line 8: missing ":" separator
Nov 10 17:10:04 PODR sshd[50342]: Accepted password for TdPMC from 194.5.181.237 port 45292 ssh2
Nov 10 17:10:04 PODR sshd[50342]: pam_unix(sshd:session): session opened for user TdPMC by (uid=0)
Nov 10 17:10:04 PODR sshd[50961]: fatal: bad ownership or modes for chroot directory component "/"
Nov 10 17:10:04 PODR sshd[50342]: pam_unix(sshd:session): session closed for user TdPMC
Nov 10 17:11:12 PODR sshd[49585]: Received signal 15; terminating.
Nov 10 17:11:12 PODR sshd[64218]: Server listening on 0.0.0.0 port 22.
Nov 10 17:11:12 PODR sshd[64218]: Server listening on :: port 22.
Nov 10 17:11:26 PODR sshd[66918]: warning: /etc/hosts.allow, line 7: missing ":" separator
Nov 10 17:11:26 PODR sshd[66918]: warning: /etc/hosts.allow, line 8: missing ":" separator
Nov 10 17:11:32 PODR sshd[66918]: Accepted password for TdPMC from 194.5.181.237 port 45293 ssh2
Nov 10 17:11:32 PODR sshd[66918]: pam_unix(sshd:session): session opened for user TdPMC by (uid=0)
Nov 10 17:11:32 PODR sshd[68009]: fatal: bad ownership or modes for chroot directory component "/"
Nov 10 17:11:32 PODR sshd[66918]: pam_unix(sshd:session): session closed for user TdPMC

niepce
Posts: 5
Joined: 2017/11/08 15:38:14

Re: ChrootDirectory doesn't work for sftp user

Post by niepce » 2017/11/14 08:13:30

Eureka !
It's resolved by
chown root:root /sftp/home/TdPMC
chmod 755 /

drwxr-xr-x. 3 root root 4096 10 nov. 15:00 /sftp/home/TdPMC
drwxr-xr-x. 3 root root 4096 10 nov. 14:59 /sftp/home
drwxr-xr-x. 3 root root 4096 10 nov. 14:59 /sftp
drwxr-xr-x. 30 root root 4096 14 nov. 07:49 /


Thanks for all

Post Reply