0

I use proFTPD on debian 8. For some reasons i need users that can only access to their documentroot. I already configured this and it works but only when i connect in FTP.

If the user connect on SFTP, he will be able to access at the entire FTP.

How can i do ?

EDIT :

I found how to correct my problem.

1) I stoped proFTD because it cause problems. I swich on the default SSH server od my debian server

2) All of the folders are owned by root:root and with 755 perms. In my case, it was /, /var, /var/www, and /var/www/dev

3) The SSHD config was :

Subsystem sftp internal-sftp Match Group dev ChrootDirectory /var/www/dev ForceCommand internal-sftp AllowTcpForwarding no

Mathéo Tichy
  • 5
  • 3

2 Answers2

0

In order to make a secure connection to a FTP server, you can use any application that support SFTP. SFTP (commonly referred to as Secure File Transfer Protocol ) can perform secure file transfers.

Sam Mollaei
  • 1
  • 1
0

If you want to restrict some SFTP users to a subdirectory of your filesystem, you can use the ChrootDirectory option in your OpenSSH server config.

Let's assume you want restrict the users of group ftp-users to access only the /var/ftp/%username% directory (where %username% is their username). Then you could use:

Subsystem sftp internal-sftp
Match group ftp-users
    ChrootDirectory /var/ftp/%u

In the ChrootDirectory option you can use %u for the username, %U for the user id or %h for the user's home directory.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • Thanks for you reply. But in my case, it doesn't work. This is my config : Match Group dev ChrootDirectory /var/www/dev ForceCommand internal-sftp AllowTcpForwarding no – Mathéo Tichy Mar 08 '20 at 21:09
  • The config looks alright. Did you restart the **ssh** server? What are the logs saying? – Piotr P. Karwasz Mar 08 '20 at 21:15
  • Yes i restarted the server at every modification. I look at /var/log and didn't found auth.log It is normal ? – Mathéo Tichy Mar 08 '20 at 21:18
  • It depends on `/etc/rsyslog.conf`, but usually facility `auth` and `authpriv` are logged to `/var/log/auth.log`. You can also try `journalctl -u ssh`. Regarding the config: only the first matching `Match` stanza is applied, maybe you have several. – Piotr P. Karwasz Mar 08 '20 at 21:22
  • Hello, I have tried your configuration but it doesn"t work. In my logs there is : fatal: bad ownership or modes for chroot directory component "/var/www/dev/" But i gave root:root to the folder and 777 for the perms. – Mathéo Tichy Mar 14 '20 at 09:45
  • The permissions are the problem: all components of `/var/www/dev` (i.e. `/`, `/var`, `/var/www` and `/var/www/dev`) must be owned by root and **not writable** by anyone else (so `755`). This guarantees that the user can not escape the `chroot`. Of course you want your users to be able to write to `/var/www/dev`, so check [this question about sftp permissions](https://serverfault.com/q/1002051/530633). – Piotr P. Karwasz Mar 14 '20 at 14:36
  • Thanks for your reply. But all of these files are already owned by root:root and with 755 perms. I juste have this error : `mars 15 14:29:00 VPS sshd[2686]: Accepted password for dev_cpm_connect from XX.XX.XX.XX port XXXXX ssh2 mars 15 14:29:00 VPS sshd[2686]: pam_unix(sshd:session): session opened for user dev_cpm_connect by (uid=0) mars 15 14:29:00 VPS sshd[2688]: subsystem request for sftp by user dev_cpm_connect failed, subsystem not found mars 15 14:29:00 VPS sshd[2686]: pam_unix(sshd:session): session closed for user dev_cpm_connect` – Mathéo Tichy Mar 15 '20 at 13:31
  • Check whether you have the `Subsystem` option in your configuration. **internal-sftp** is absent on old releases of **ssh** (cf. [this answer by Martin Prikryl](https://serverfault.com/a/660325/530633)), but it should be present on Debian 8. – Piotr P. Karwasz Mar 15 '20 at 16:17
  • Thanks for your help ! Now it's work ! – Mathéo Tichy Mar 15 '20 at 20:27