This sounds awesome and thank you for posting it.

But I've learned not to trust anything posted on this day...

Nice work!
OpenSSH 4.9 is OUT!

I considered using this (as I put together the alternative approach at http://www.minstrel.org.uk/papers/sftp/), but from reading 'man sshd_config', it appeared to me that 'ChrootDirectory' was *not* a valid parameter in a Match block.

Have I misread the manual? It struck me that ChrootDirectory subsequently applied to all users (including myself), which wouldn't work for me at all...

I can be contacted through the Web site above.

--
Minstrel

Does the chroot apply for SSH shell access, or only sftp?

Any ssh backport for etch planned ?

Great!

Can't wait to try it.

Brian Pence
Celestial Software
http://www.celestialsoftware.net
AbsoluteTelnet (for telnet and ssh)

Nice post!

I don't like the sound of setting a users home directory set to "/" though. I can't think of any repercussions, but since their home directory is technically set incorrectly, I wouldn't like to say there would be none. Can anyone else think of any problems this might cause?

Hi

It seems to be working but I still have a question ...

It says in the manpage of sshd_config that the path given to ChrootDirectory and all of its components must be root owned directories that are not writable by any other user or group.

So when the user logs in, he doesn't have write permissions right ?
Therefore he can't upload anything ...

I'm currently using the latest Debian Stable - Lenny, I have OpenSSH 5.X, I want to setup chroot environments, for most of the users on that system. I'm a little confused as how to set that up, do I need to add a group, I'm guessing that would be the proper way to do it. I'm looking for a updated tutorial on this as well.

Following these instructions I have a working chrooted sftp user.
They can't upload files. How do I fix this please?
Also is it possible to modify adduser.conf to create the home directory with the appropriate ownership/properties for this? (I have modified it to set the GID as sftponly too)

"ChrootDirectory /home/%u" should probably be replaced with "ChrootDirectory %h" which works for home directories not in /home

I can't get this working on Ubuntu 8.10 inside 64 VMWare.

Here is what happens:


user@server:/var$ sftp 192.45.2.137
Connecting to 192.45.2.137...
user@192.45.2.137's password:
Couldn't read packet: Connection reset by peer



/var/log/auth.log:

Jun 18 20:45:57 server sshd[23658]: debug1: Bind to port 22 on ::.
Jun 18 20:45:57 server sshd[23658]: Server listening on :: port 22.
Jun 18 20:45:57 server sshd[23658]: debug1: Bind to port 22 on 0.0.0.0.
Jun 18 20:45:57 server sshd[23658]: Server listening on 0.0.0.0 port 22.
Jun 18 20:46:03 server sshd[23658]: debug1: Forked child 23664.
Jun 18 20:46:03 server sshd[23664]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jun 18 20:46:03 server sshd[23664]: debug1: inetd sockets after dupping: 3, 3
Jun 18 20:46:03 server sshd[23664]: Connection from 192.45.2.137 port 42626
Jun 18 20:46:03 server sshd[23664]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-3ubuntu1
Jun 18 20:46:03 server sshd[23664]: debug1: match: OpenSSH_5.1p1 Debian-3ubuntu1 pat OpenSSH*
Jun 18 20:46:03 server sshd[23664]: debug1: Enabling compatibility mode for protocol 2.0
Jun 18 20:46:03 server sshd[23664]: debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
Jun 18 20:46:05 server sshd[23664]: debug1: user user matched group list sftp at line 80
Jun 18 20:46:05 server sshd[23664]: debug1: PAM: initializing for "user"
Jun 18 20:46:05 server sshd[23664]: debug1: PAM: setting PAM_RHOST to "192.45.2.137"
Jun 18 20:46:05 server sshd[23664]: debug1: PAM: setting PAM_TTY to "ssh"
Jun 18 20:46:05 server sshd[23664]: Failed none for user from 192.45.2.137 port 42626 ssh2
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: password authentication accepted for user
Jun 18 20:46:06 server sshd[23664]: debug1: do_pam_account: called
Jun 18 20:46:06 server sshd[23664]: Accepted password for user from 192.45.2.137 port 42626 ssh2
Jun 18 20:46:06 server sshd[23664]: debug1: monitor_child_preauth: user has been authenticated by privileged process
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: establishing credentials
Jun 18 20:46:06 server sshd[23664]: pam_unix(sshd:session): session opened for user user by (uid=0)
Jun 18 20:46:06 server sshd[23671]: debug1: SELinux support disabled
Jun 18 20:46:06 server sshd[23671]: debug1: PAM: establishing credentials
Jun 18 20:46:06 server sshd[23664]: User child is on pid 23671
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: cleanup
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: deleting credentials
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: closing session
Jun 18 20:46:06 server sshd[23664]: pam_unix(sshd:session): session closed for user user



/etc/passwd:

user:x:1003:1003:User,,,:/:/usr/sbin/nologin



/etc/group:

sftp:x:1004:user



/etc/ssh/sshd_config:

# Logging
SyslogFacility AUTH
LogLevel DEBUG
Subsystem sftp internal-sftp
Match group sftp
ForceCommand internal-sftp
ChrootDirectory /var/sshbox



user@server:/var$ ls -l
drwxr-x--- 2 root root 4096 2009-06-18 20:05 sshbox

What I am doing wrong?

why need root owned directory?

So, if i change my FTP to a SFTP server... where can I track the user's actions??

Forgive me for maybe being silly...

If you chown the users directory to root.root how can the user have write access to their home directory?

Hi! I need to prevent a file deletion by jail user. The file is .htaccess. How to make it?

I cant get this to work. Used 2 days on this now.
sftp/ssh works. But chrooting dont.

If I remove the user from the sftpolny group it works. So Im guessing it has something with group/sftp to do, but I cant figure it out.

Anyone got any pointers to this?

I use "PasswordAuthentication no" in sshd_config to force autentication by public key. However, I need to make users login in jail using password. I solved my problem putting "PasswordAuthentication yes" in my match block. See below:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
PasswordAuthentication yes

Hope this help.

Is there a way to configure the above and allow scp access for these chrooted sftp users?

How to hide .ssh folder or disable ls -a option in chroot sftp login

GREAT

# usermod -d / user

And when i testing add some user, And when i delete him which

userdel -rf user

.......................

Note that the owner of the destination directory must be "root", and group/other users cannot have write permissions. The same with all the directory path:

chown root /path/to/destination
chown root /path/to
chown root /path

chmod g-w,o-w /path/to/destination
chmod g-w,o-w /path/to
chmod g-w,o-w /path


Alternatively, you can use a symbolic link to replace the real path:

chown root /path/to/destination
ln -s /path/to/destination /destination
chown root /destination

chmod g-w,o-w /path/to/destination
chmod g-w,o-w /destination


Hi,
to get public-key authentication up and running for sftpusers use the users sftphome in /etc/passwd (e.g. /var/www/sftpuser_1) and let sshd chroot to %h! Password authentication will still work.
Cheers,
Olaf

A new guide to configure better the client and the server:
http://wiki.lapipaplena.org/index.php/How_to_mount_SFTP_accesses

(with special care with owners and permissions questions)

Couldn't this just be done with
sudo usermod -s /bin/false someuser
?

Regards, H�kan

First of all: Thanks for the article.
However, I think there is a error in the Match syntax. I tried it, and it didn't work; until I found out, that it is crucial to close the open Match clause. So using the example from the article the right entry in sshd.conf should be:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match

Otherwise SFTP-server won't allow any connections!
Hope this helps!

I'm not sure if I got this right:

for ChrootDirectory %h to work, the home directory of the user MUST be owned by root
for .ssh/authorized_keys to work the home directory of the user MUST be owned by the user

So how do I "jail" a user in his own directory? (using sftp only)

I would like my users to have the same home directory than their chroot directory (e.g. chroot user1 to /home/user1 and home directory is /home/user1, too).

Are there any security considerations against doing the following?

chown root:root /home/user1
chmod 750 /home/user1
setfacl -m user:user1:rwx /home/user1
setfacl -m mask::rwx /home/user1

This would fulfil the requirements to successfully chroot() and let users have appropriate permissions to their home directories.

using the suggested addition to sshd_config makes sshd die.
I noticed there is already a subsystem sftp defined, so maybe that is the problem, but what is the solution? I have:

Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem sftp internal-sftp
Match group guests
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match

thanks everybody

I have configured like this, but I want to copy directly in the home directory. Is this possible?
BR

Andreas

I only partly have a problem connecting. When I use Filezilla it works perfect. But when I use sftp on Ubuntu it fails with the error:

Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer

What is going wrong and how can I fix this?

this is really helping ..............

After the call to chroot(), sshd changes directory to the home directory relative to the new root directory. That is why I use / as home directory.

If you don't change the home directory to / it seems to work anyway (ie leave as default /home/user).

It also allows public key authentication to work (~/.ssh/authorized_keys)