SFTP server with chrooted home dir

zanga · Post by **zanga** » 2018/05/10 17:08:34

Hello,

I'm trying to setup a chrooted SFTP server, for this I added a

 sftp_users

group, and created a

Code: Select all

/sftp

directory owned by root.
In

Code: Select all

/etc/ssh/sshd_config

I have

Code: Select all

Match Group sftp_users
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /sftp/
 ForceCommand internal-sftp

Then I added a user in the sftp_users group and added his home dir in /sftp/user.
This works fine but when the user logs in he is being presented with the content of /sftp so I tried to add

Code: Select all

ChrootDirectory /sftp/%u

and added 700 permissions to /sftp/user but then I get

Code: Select all

 fatal: bad ownership or modes for chroot directory "/sftp/user" [postauth]

What I might be missing to be able to restrict the sftp user to his own home directory?

Thank you !

Post by **TrevorH** » 2018/05/10 17:49:54

Chrooted sftp is very picky about permissions. Here's my puppet manifest for setting it up:

Code: Select all

        group {"sftponly":
                ensure  => present,
                gid     => 1500,
                system  => false,
                require => Package["setup"]
                }
        localuser {"sftpuser":
                comment => "sftp user",
                uid     => "1500",
                groups  => sftponly,
                shell   => "/sbin/nologin",
                password => 'big long encrypted string',
                key     => "#"
                }
        file {"/sftp":
                ensure  => directory,
                owner   => root,
                group   => root,
                mode    => 755,
                require => Group["sftponly"]
                }
        file {"/sftp/home":
                ensure  => directory,
                owner   => root,
                group   => root,
                mode    => 755,
                require => File["/sftp"]
                }
        file {"/sftp/home/sftpuser":
                ensure  => directory,
                owner   => root,
                group   => sftponly,
                seltype => user_home_dir_t,
                mode    => 755,
                require => File["/sftp/home"]
                }
        file {"/sftp/home/sftpuser/incoming":
                ensure  => directory,
                owner   => sftpuser,
                group   => sftponly,
                seltype => user_home_dir_t,
                mode    => 755,
                require => File["/sftp/home/sftpuser"]
                }
        selboolean {"ssh_chroot_rw_homedirs":
                name    => "ssh_chroot_rw_homedirs",
                persistent      => true,
                value   => on,
                require => Group["sftponly"]
                }
        exec {"semanage-sftphome":
                command => $osmajorrelease ? {
                        "6" => "/usr/sbin/semanage fcontext -a -f-- -t user_home_t '/sftp/home/sftpuser/incoming(/.*)?'",
                        "7" => "/usr/sbin/semanage fcontext -a -ff -t user_home_t '/sftp/home/sftpuser/incoming(/.*)?'"
                        },
                unless  => "/usr/sbin/semanage fcontext -l | grep -q '^/sftp/home/sftpuser/incoming(/.*)?.*regular'",
                require => Package["policycoreutils-python"]
                }
        exec {"semanage-sftphomedirs":
                command => $osmajorrelease ? {
                        "6" => "/usr/sbin/semanage fcontext -a -f-d -t user_home_dir_t '/sftp/home/sftpuser/incoming(/.*)?'",
                        "7" => "/usr/sbin/semanage fcontext -a -fd -t user_home_dir_t '/sftp/home/sftpuser/incoming(/.*)?'"
                        },
                unless  => "/usr/sbin/semanage fcontext -l | grep -q '^/sftp/home/sftpuser/incoming(/.*)?.*directory'",
                require => Exec["semanage-sftphome"]
                }
        }

zanga · Post by **zanga** » 2018/05/10 18:24:39

Many thanks TrevorH !

Following your advice I changed the ownership to root:sftp_users on /sftp/user with 755 permissions then created an UPLOAD dir inside the users home dir with user:sftp_users ownership then the ftp user can upload his stuff there and he is restricted to his home dir.

CentOS

SFTP server with chrooted home dir

SFTP server with chrooted home dir

Re: SFTP server with chrooted home dir

Re: SFTP server with chrooted home dir