0

I'm having problems setting up sftp with a ChrootDirectory. I've done an equivalent setup on other distros, but for some reason I cannot get it to work on a Redhat AMI.

The changes to my sshd_config file are:

Subsystem sftp internal-sftp Match Group ftponly PasswordAuthentication yes X11Forwarding no ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no

I have the concerned usere's homes at /home/user, owned by root. After connecting with a user in the ftponly group, I'm dropped into / without permissions for anything, and am unable to do anything. 

sftp bob@localhost Connecting to localhost... bob@localhost's password: sftp> pwd Remote working directory: /

I can connect normally with users not in the ftponly group.

openssh version 5.3

I've experimented with different permissions, as well as having users own their own home directory (gives a Write failed: Broken pipe error), and so far, nothing has seemed to work.

I'm sure it's a permissions error, or something equally as trivial, but at this point my eyes are beginning to glaze over, and any help would be greatly appreciated.

EDIT:

James and Madhatter, thanks for clarifying. I was confused by chroot dropping me in /... just didn't think through it properly. I've added the appropriate directories and permissions to get read access. One other key part was enabling write access to chrooted homes:

setsebool -P ssh_chroot_rw_homedirs on

in order to get write access. I think I'm all set now. Thanks for the help.

Improve this question
2
  • Ummm, you say that you're chrooting the bob user to ./home/bob, which is owned by root, yes? In that case, aren't you seeing exactly what you'd expect? What's in /home/bob as far as root is concerned? And what's in / as far as the captive bob user is concerned? Commented Nov 6, 2012 at 20:52
  • Actually this is/was working correctly, the issue was that I needed to extend r/w permissions to /home/bob. Chmod 0755 did the trick. I had previously tried having bob, or the ftpusers group own /home/bob, but I guess you really have to have root own the file, but have r/w permissions for other users. Commented Nov 6, 2012 at 21:16

1 Answer 1

Reset to default
1

ChrootDirectory %h will chroot the users home directory to /. I may be wrong but the reason that you can not do anything is because the necessary support files do not exist in the chroot jail. A quick search for configure ssh chroot brings me to this page http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229 where you make the necessary files available.

Improve this answer
3
  • With respect, I think you're wrong. The man page for sshd_config says that in the ChrootDirectory directive, "%h is replaced by the home directory of the user being authenticated", which in this case is /home/bob, no? Commented Nov 6, 2012 at 20:53
  • That's right you are only rephrasing what i am saying sorry if it didn’t come across right. You will never see /home/bob in your path because / IS /home/bob. Commented Nov 6, 2012 at 20:56
  • Ah, I see what you're saying; yes, I agree - a chroot'ed user will see their initial directory as /, whatever it really is to a non-chrooted user. Sorry! Have an upvote! Commented Nov 6, 2012 at 20:58

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.