I've followed this instructions on the ArchWiki and GeekStuff to setup an user which can only access the server via SFTP (SSH) but without Shell (/bin/false
) in a chrooted environment of his home dir.
Nothing much more special, but it simply does not work, I keep getting access denied
messages when I try to log in. Here is what I've tried so far:
SFTP User and Group
The user, here: user
, is member of the group sftp
. Home directory is /srv/sftp/user
. Shell is disable via /bin/false
User entry:
0 ✓ root@host ~ $ grep -i user /etc/passwd
user:x:1002:1000::/srv/sftp/user:/bin/false
Group entry:
0 ✓ root@host ~ $ grep -i sftp /etc/group
sftp:x:1000:user
Groups of user:
0 ✓ root@host ~ $ groups user
users sftp
Home Directory Configuration
The home directory and all directories above are owned by root
:
0 ✓ root@host ~ $ ls -lsha /srv
total 20K
4,0K drwxr-xr-x 6 root root 4,0K 4. Apr 17:00 ./
4,0K drwxr-xr-x 17 root root 4,0K 4. Apr 15:08 ../
4,0K dr-xr-xr-x 2 root ftp 4,0K 30. Sep 2015 ftp/
4,0K drwxr-xr-x 4 root root 4,0K 4. Apr 19:30 http/
4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 17:00 sftp/
0 ✓ root@host ~ $ ls -lsha /srv/sftp
total 12K
4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 17:00 ./
4,0K drwxr-xr-x 6 root root 4,0K 4. Apr 17:00 ../
4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 19:34 user/
0 ✓ root@host ~ $ ls -lsha /srv/sftp/user
total 16K
4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 19:34 ./
4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 17:00 ../
4,0K drwxrwxr-x 6 user sftp 4,0K 4. Apr 20:28 files/
4,0K drwxrwxr-x 2 user sftp 4,0K 4. Apr 19:33 log/
SSHD Configuration
The end of the SSHD config:
0 ✓ root@host ~ $ tail -n16 /etc/ssh/sshd_config
# override default of no subsystems
### Subsystem sftp /usr/lib/ssh/sftp-server
Subsystem sftp internal-sftp
### This section must be placed at the very end of sshd_config
# This means that all users in the ‘sftp’ group will be chroot’d
# to their home directory, where they only will be able to run
# internal SFTP processes.
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PasswordAuthentication yes
SSHD status:
0 ✓ root@host ~ $ systemctl status sshd
● sshd.service - OpenSSH Daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled)
Active: active (running) since Mo 2016-04-04 23:48:58 CEST; 1 day 15h ago
Main PID: 9272 (sshd)
Tasks: 3 (limit: 512)
CGroup: /system.slice/sshd.service
├─ 9272 /usr/bin/sshd -D
├─17597 sshd: user [priv]
└─17598 sshd: user [net]
[...]
Apr 06 15:05:24 host sshd[17597]: Failed password for user from 93.***.***.136 port 45516 ssh2
OpenSSH version:
0 ✓ root@host ~ $ pacman -Q openssh
openssh 7.2p2-1
More system information
Kernel version:
0 ✓ root@host ~ $ uname -a
Linux host 4.4.5-1-ARCH #1 SMP PREEMPT Thu Mar 10 07:38:19 CET 2016 x86_64 GNU/Linux
Trying to connect
To make sure the password is really correct, I change it to 1234
:
0 ✓ root@host ~ $ passwd user
Enter new UNIX password: 1234
Retype new UNIX password: 1234
passwd: password updated successfully
Now test with sftp
:
1 ✗ me@client ~ $ sftp -P12345 user@host
user@host's password: 1234
Permission denied, please try again.
user@host's password: 1234
Permission denied, please try again.
user@host's password: 1234
Permission denied (publickey,password).
Couldn't read packet: Connection reset by peer
This is in the logs, not really helpful at all:
0 ✓ root@host ~ $ journalctl -n5
Apr 06 15:34:38 host passwd[25269]: pam_unix(passwd:chauthtok): password changed for user
Apr 06 15:35:26 host sshd[25853]: Failed password for user from 93.***.***.136 port 45834 ssh2
Apr 06 15:35:30 host sshd[25853]: Failed password for user from 93.***.***.136 port 45834 ssh2
Apr 06 15:35:33 host sshd[25853]: Failed password for user from 93.***.***.136 port 45834 ssh2
Apr 06 15:35:34 host sshd[25853]: Connection closed by 93.***.***.136 port 45834 [preauth]
What am I doing wrong? What did I miss? How to create chroot'ed SFTP access on an Archlinux Server wihtout shell access?