CHrooted SFTP server

General support questions

CHrooted SFTP server

Postby kbensch » 2011/12/15 15:22:10

Hi All

I have tried to set this up on Centos 6.1 updated to the latest patches.

I have turned off selinux until I can get this sorted, but when I try to login I get the following in the log:

Dec 15 15:16:51 ftp sshd[1686]: Accepted password for sftptest from 10.10.10.4 port 2562 ssh2
Dec 15 15:16:51 ftp sshd[1686]: pam_unix(sshd:session): session opened for user sftptest by (uid=0)
Dec 15 15:16:51 ftp sshd[1690]: fatal: bad ownership or modes for chroot directory component "/home/SFTP/"
Dec 15 15:16:51 ftp sshd[1686]: pam_unix(sshd:session): session closed for user sftptest

I did the fiollowing to set it up:

Created a gropup called sftponly

sshd_config:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftponly
ChrootDirectory /home/SFTP/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

set the directory structure as follows:

drwx------. 5 root root 4096 Dec 15 13:59 .
drwx------. 22 root root 4096 Dec 15 14:11 ..
drwx------. 3 root root 4096 Dec 15 14:01 SFTP

SFTP:
total 12
drwx------. 3 root root 4096 Dec 15 14:01 .
drwx------. 5 root root 4096 Dec 15 13:59 ..
drwx------. 2 sftptest sftptest 4096 Dec 15 14:01 sftptest


Can anybody see what I am doing wrong please?

Thanks

Kobus
kbensch
 
Posts: 50
Joined: 2005/04/22 17:27:42
Location: Maidenhead, UK

Re: CHrooted SFTP server

Postby TrevorH » 2011/12/15 18:37:24

This should help
User avatar
TrevorH
Forum Moderator
 
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CHrooted SFTP server

Postby scottro » 2011/12/15 18:46:10

Not sure if CentOS' patched ssh fully supports it.

At any rate, often, this can be fixed by changing the directory permissions to 755 rather than 700.

I think everything has to be owned by root, and if you want the ssh user to be able to write, you create another directory, also owned by root, with 777 or whatever.
scottro
Forum Moderator
 
Posts: 1715
Joined: 2007/09/03 21:18:09
Location: NYC

Re: CHrooted SFTP server

Postby kbensch » 2011/12/16 10:32:35

Hi scottro

It is supported. Please see my other post for some details.
kbensch
 
Posts: 50
Joined: 2005/04/22 17:27:42
Location: Maidenhead, UK

Re: CHrooted SFTP server

Postby kbensch » 2011/12/16 11:02:12

TrevorH wrote:
This should help


Hi TrevorH

Thanks for this, i got it sorted.

This was basically correct:

sshd_config:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftponly
ChrootDirectory /home/SFTP/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

except for this line --> From ChrootDirectory /home/SFTP/%u to ChrootDirectory /home/chroot/%u

I also had to change the passwd file for this user from /home/SFTP/sftptest to /home/sftptest

The biggest change i had make was however the dir structure.

I had /home/SFTP/sftptest for the user dir. but changed it as follows:
/home/chroot/sftptest/home/sftptest

The permission per level are as follows:
drwx------. 4 root root 4096 Dec 16 10:02 home
drwx------. 3 root root 4096 Dec 16 09:58 chroot
drwxr-x---. 3 root sftponly 4096 Dec 16 09:59 sftptest
drwxr-xr-x. 3 root root 4096 Dec 16 09:59 home
drwxrwx---. 3 sftptest sftptest 4096 Dec 16 10:29 sftptest

Once all of these changes have been made it is working as expected and one can now continue to customise the directories as required.

Hope this helps someone else.

Kobus
kbensch
 
Posts: 50
Joined: 2005/04/22 17:27:42
Location: Maidenhead, UK

Re: CHrooted SFTP server

Postby scottro » 2011/12/16 22:39:15

Good to know, thank you. The one time I've had to set it up was on a CentOS 5.x server and I wound up rebuilding the rpm. (Openssh puts a spec file in their tarball, so it's pretty easy.)
scottro
Forum Moderator
 
Posts: 1715
Joined: 2007/09/03 21:18:09
Location: NYC

Re: CHrooted SFTP server

Postby kbensch » 2011/12/19 09:28:02

Centos5 is done via script I picked up on a website which I then changed to suit my needs. I still have it somewhere and at a company I recently left it is still very much in use.
kbensch
 
Posts: 50
Joined: 2005/04/22 17:27:42
Location: Maidenhead, UK


Return to CentOS 6 - General Support

Who is online

Users browsing this forum: No registered users and 8 guests