1
I have an FTP server that authenticates via an API and has user folders in:
/home/ftpusers/files/<username>
Some users have requested SFTP instead and since I already have processes in place to put files in the user's directory, I figure I can just create accounts for the users.
useradd -g sftpgroup -d /home/ftpusers/files/username/ -s /sbin/nologin username
mkdir -p /home/ftpusers/files/username/.ssh
chown -R username:ftpgroup /home/ftpusers/files/username
chmod -R 770 /home/ftpusers/files/username
echo "ssh-rsa user key" > /home/ftpusers/files/username/.ssh/authorized_keys
chown username:sftpgroup /home/ftpusers/files/username/.ssh
chmod 700 /home/ftpusers/files/username/.ssh
chown username:sftpgroup /home/ftpusers/files/username/.ssh/authorized_keys
chmod 600 /home/ftpusers/files/username/.ssh/authorized_keys
the ftpgroup is so a system account can place files in the user folder the sftpgroup is to lock this user to just SFTP using:
Match Group sftpgroup
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Unfortunately this doesn't work. No useful error, just:
Permission denied (publickey)
It does work fine though if I create a user in a more standard way in the /home/ directory
Any ideas on why? I know chroot has a lot of permission restrictions. Is this something like that?
Added namei output: Sure thing:
namei -l /home/ftpusers/files/jmandel/.ssh
f: /home/ftpusers/files/jmandel/.ssh
dr-xr-xr-x root root /
drwxr-xr-x root root home
drwxrwx--- ftpuser ftpgroup ftpusers
drwxrwx--- ftpuser ftpgroup files
drwxrwx--- jmandel ftpgroup jmandel
drwx------ jmandel sftpgroup .ssh
Marked answer below has good information in comment thread
Supergibbs
Posted 2018-08-25T15:06:19.887
Reputation: 153
This makes a lot of sense but it didn't seem to work – Supergibbs – 2018-08-26T04:14:02.687
@Supergibbs Could you add to your question output of:
namei -l /home/ftpusers/files/SomeUserName/.ssh? – Alex – 2018-08-26T04:34:50.920Sure thing, added above for better formatting – Supergibbs – 2018-08-27T15:36:25.583
Check if user jmandel belonging to the group ftpgroup by running
id jmandel– Alex – 2018-08-27T15:48:42.953It's not because I don't want it to, that would allow jmandel access to other users folders. There is a user in the ftpgroup that places files in various user folders. As a test though, I added jmandel to ftpgroup and it didn't help – Supergibbs – 2018-08-27T18:54:57.923
If users aren't belong to ftpgroup and directory
/home/ftpusersrestricting access to groupotherthen how they would travel to their ftp(home) ? Try to set 775 to directories/home/ftpusersand/home/ftpusers/filesfor the test purpose. – Alex – 2018-08-27T19:02:55.893They are the owner of their home directory, do they also need access for the full path? Not a lot of linux admin experience here.
I tried 775 and it didn't work either – Supergibbs – 2018-08-28T20:11:00.800
Can you remove temporally public key authentication and try SFTP with plain password ? – Alex – 2018-08-28T20:40:27.933
So password worked! But folder permissions did not. Seems like users need permissions for the full path to their home dir. This might not work out the way I need it to. Thanks for all your help! Still not sure why keys aren't working either. – Supergibbs – 2018-09-04T16:23:24.810
Figured it out! home directories need to be 700 for key logins (along with .ssh dir and the authorized_keys file needs to be 600). Alternatively, add "StrictModes no" to sshd_config. Thanks for all the help Alex! – Supergibbs – 2018-09-04T22:58:54.303
Additionally, I used 771 to allow users access to their home folder but not be able to list /home/ directory. That would expose our client list – Supergibbs – 2018-09-05T16:04:44.587