18

I've got a CentOs release 6.4 with Digital Ocean and would like to successfully create SFTP users and jail them to the user's own chroot home directory but I fear I'm making a mess of this.

I've tried a lot of things, far too many to list here really as most is probably incorrect or won't make much sense but what I feel should be the correct process and what I have tried is:-

Create a group for sftp:-

groupadd sftp

Create a user and set their home directory:-

useradd -d /var/www/vhosts/domain.com dummyuser

Set a password for the user:-

passwd dummyuser

Change the user's group to 'sftp':-

usermod -g sftp dummyuser

Set the user's shell to /bin/false:-

usermod -s /bin/false dummyuser

Edit Subsystem in sshd_config (/etc/ssh/):-

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Add the following to the bottom of the sshd_config file:-

Match group sftp
    X11Forwarding no
    ChrootDirectory %h
    AllowTcpForwarding no
    ForceCommand internal-sftp

I make sure all the following directories are root:root:-

/var
/var/www
/var/www/vhosts
/var/www/vhosts/domain.com

If I then try to log in to the server via SFTP with the user dummyuser (in WinSCP), I get the following:-

Authentication log (see session log for details):
Using username "dummyuser".

Authentication failed.

All I want to achieve is jailing a user to their home directory. I've also got vsftpd set up and configured. Users could log in fine but would have access to the entire server - I just haven't managed to get jailing to work at all.

Edit

Forgot to mention, I then restarted sshd also:-

service sshd restart

When the error is produced in WinSCP, their help page on this is here.

Log Results

/var/log/secure

I replaced the actual server name with server_name.

 Apr 28 14:20:56 server_name sshd[9944]: Accepted password for dummyuser from 80.194.255.4 port 44402 ssh2
 Apr 28 14:20:56 server_name sshd[9944]: pam_unix(sshd:session): session opened for user dummyuser by (uid=0)
 Apr 28 14:20:56 server_name sshd[9946]: fatal: bad ownership or modes for chroot directory component "/var/www/vhosts/"
 Apr 28 14:20:56 server_name sshd[9944]: pam_unix(sshd:session): session closed for user dummyuser
Community
  • 1
zigojacko
  • 1,433
  • 2
  • 12
  • 25
  • Did you restart `sshd`? What is in the log files on the server? – faker Apr 28 '14 at 14:31
  • Yes I did, sorry I forgot to add that to the end of my question (will include now). Which log file (and location) should I be looking in because I have failed to find a 'session log' file so far? Thanks. – zigojacko Apr 28 '14 at 14:37
  • You'll want to take a look at `/var/log/secure`. – faker Apr 28 '14 at 14:40
  • Excellent, thank you - this helps (updating question with log entries). – zigojacko Apr 28 '14 at 14:44
  • fatal: bad ownership or modes for chroot directory component "/var/www/vhosts/" something such as this I suspected but `vhosts` is `root:root`. – zigojacko Apr 28 '14 at 14:46
  • What is the full permission on `/var/www/vhosts`? E.g. only root user should have write permissions, not everyone. – faker Apr 28 '14 at 14:49
  • `ls -ld /var/www/vhosts` outputs `drwxrwxr-x 3 root root 4096 Oct 25 2013 vhosts` is this looking incorrect? Thanks – zigojacko Apr 28 '14 at 14:51
  • Nope, group is not allowed to have write permission (even if it's root group): `chmod g-w /var/www/vhosts` – faker Apr 28 '14 at 14:54
  • @faker - legend - works perfectly. log in as `dummyuser` and now jailed to `/var/www/vhosts/domain.com` - thank you for noticing that. Will accept as answer if you want to answer. – zigojacko Apr 28 '14 at 15:05
  • Could you use filesystem ACLs? Give permissions to the sftp group? – Trinue Apr 28 '14 at 15:06

2 Answers2

15

It's a common pitfall:
All folders up to the chroot home must be owned and only writable by root user.
The folders cannot be group writable - even if the group is root.

faker
  • 17,326
  • 2
  • 60
  • 69
5

I found and successfully configured sftp on CentOS 6.5: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

Edit sshd config:

vim /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server (comment out the default with "#")

add:

Subsystem sftp internal-sftp
Match Group sftp-only
ChrootDirectory /var/www/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Exit and save.

Then:

mkdir /etc/skel2
groupadd sftp-only
getent group |grep sftp-only  (take note the GID (Group ID).  Here, in my example it's 500)

For a new user named "testuser" (member of the sftp-only group with GID 500):

useradd --base-dir /var/www --gid 500 --skel /etc/skel2 --create-home --shell /sbin/nologin testuser

(i use empty /etc/skel2 so no .bashrc etc is copied by default by CentOS)

mkdir -p /var/www/testuser/home/testuser

chown root:sftp-only /var/www/testuser
chmod 750 /var/www/testuser

chown root:root /var/www/testuser/home
chmod 755 /var/www/testuser/home

chown testuser:sftp-only /var/www/testuser/home/testuser
chmod 770 /var/www/testuser/home/testuser

So in this example, i made it to give secure access to external consulting firms that manage websites. You could after creating all this do:

mkdir /var/www/testuser/home/testuser/www.somesite.com
chown testuser:apache /var/www/testuser/home/testuser/www.somesite.com
chmod xxx (permissions to the website as needed, usually 750 so apache would get read access)

One could fine tune all this as needed.

Hope this helped!

Guy Boisvert IngTegration inc. http://www.ingtegration.com

Guy Boisvert
  • 59
  • 1
  • 3
  • Welcome to Server Fault! Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – masegaloeh Sep 04 '14 at 13:52
  • 1
    Since you changed sshd config, I'd suggest you restart it : `service sshd restart` – Loïc Jul 11 '16 at 13:53