1

I would like to ceate SFTP user and limit access to a directory. So I created user and added following in configuration

Match user joe
    ChrootDirectory /storage/public
    ForceCommand /usr/libexec/sftp-server

However, it doesn't seems I can connect to server, i got error

ssh: connect to host 11.22.33.44 port 22: Connection refused
Elisa
  • 131
  • 4
  • any firewall ?. are you able to ssh ?, is the sshd daemon running ?, /usr/libexec/sftp-server is it correct path ? – chocripple Jan 10 '13 at 06:05
  • Which configuration file? – mdpc Jan 10 '13 at 06:31
  • Check your server log to see if you're getting a wrong permission error on `/storage/public`. If you use that as your ChrootDirectory then openssh forbids `joe` from having write access to that directory. See http://serverfault.com/a/418937/56830 – DerfK Jan 10 '13 at 06:35
  • there is no firewall. I also can not ssh. ssh demon is running. /storage/public has correct permission, its owner and group is joe – Elisa Jan 10 '13 at 07:08
  • DerfK,both /storage/public is own by root:root – Elisa Jan 10 '13 at 07:32
  • Rikihm, instaed of /usr/libexec/sftp-server, I tried internal-sftp – Elisa Jan 10 '13 at 07:41

2 Answers2

1

The 'Connection Refused' error message generally means that nothing is listening on the relevant interface:port, so the first thing to do is check and if required fix this. To find out where your sshd is listening run the command 

netstat -tnlp | grep sshd

tcp    0  0 192.168.10.188:2222    0.0.0.0:*           LISTEN      29929/sshd
tcp    0  0 192.168.10.188:22      0.0.0.0:*           LISTEN      29929/sshd

Notice that this shows sshd running on ports 22 and 2222 on a single IP address. What you see will most likely be different but you should be able to figure it out and see where your sshd is listening.

If sshd is not listening on the IP address that corresponds to your host then you can add a ListenAddress directive to your /etc/ssh/sshd_config file

ListenAddress 11.22.33.44

then restart sshd.

If your sshd is listening on a non standard port e.g. 2222 then you can use 

sftp -p 2222 joe@yourhost

to connect to the system. If you want to use the standard port 22 then you can add a new port directive in /etc/ssh/sshd_config

Port 22
Port 2222

then restart sshd.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks Iain, I did as you said. I added ListenAddress 11.22.33.44 in /etc/ssh/sshd_config but it doesn't help. Whenever I add configuration "Match user joe ChrootDirectory /storage/public ForceCommand /usr/libexec/sftp-server". Server says connection refuse. I even can not ssh the server after adding those chrooting config in sshd-config file. – Elisa Jan 10 '13 at 08:02
  • @Elisa: So you can ssh in ok before you add the lines but afterwards not? What version of ssh are you using ? Is there any relevant information in your log files ? – user9517 Jan 10 '13 at 08:15
0

The problem is with sshd-config file. Now I place the config text related chrooting at end of file and it worked. Thank you guys for help

Elisa
  • 131
  • 4