0
I'm stucked with creating SFTP chroot. I'm able to log in, but i'm getting "Permission denied" whatever I try.
sftp webadm@<ip>:
webadm@<ip>'s password:
Connected to <ip>.
Changing to: /
sftp> ls
remote readdir("/"): Permission denied
sftp>
This is what I did:
/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
I created user webadm
useradd webadm
passwd webadm
groupadd sftponly
gpasswd -a webadm sftponly
usermod -g sftponly webadm
groups webadm
webadm : sftponly
I followed this howto https://wiki.archlinux.org/index.php/SFTP_chroot
ll /home/
drwx------+ 5 root root 4096 May 31 23:49 webadm
ll /home/webadm/
-rw-r--r--. 1 webadm sftponly 5 May 31 23:34 test
getfacl /home/webadm/
getfacl: Removing leading '/' from absolute path names
# file: home/webadm/
# owner: root
# group: root
user::rwx
group::---
mask::---
other::---
There is written root has to own chroot dir, but then how webadm user can access content of his dir? I tried to
setfacl -m u:webadm:rwx /home/webadm/
but then I wasn't even able to log in.
I also tried match user in sshd, but same effect
Match User webadm
ChrootDirectory /home/webadm
AllowAgentForwarding no
X11Forwarding no
AllowTcpForwarding no
#PermitTTY no
ForceCommand internal-sftp
PermitTunnel no
Selinux is in permissive mode. The only error I can see is in /var/log/secure
Accepted password for webadm from <ip> port 19669 ssh2
pam_unix(sshd:session): session opened for user webadm by (uid=0)
sshd_selinux_copy_context: getcon failed with Permission denied [postauth]
So what am I doing wrong? Any help really appreciated. Thank you.
What OS are you using? – Jakuje – 2016-06-03T17:11:46.833
Latest CentOS 7 – Sigi – 2016-06-03T17:36:50.667
your user
webadm
hasuid=0
? That is suspicious. – Jakuje – 2016-06-03T17:53:17.743doesn't it mean, that session was opened by ssh deamon, which is running under root? – Sigi – 2016-06-03T18:03:13.590
anyway, I disabled selinux completely and now error message with sshd_selinux_copy_context disappeared. I have to edit title of question later. But result remains the same... – Sigi – 2016-06-03T18:05:04.240
Possible duplicate of openSSH connection reset by peer
– Jakuje – 2016-06-03T19:18:11.950