Limiting Access with SFTP Jails

0

I would like to restrict access to only one directory (and his dub directory) for a specific user when he is connected with sftp.

I created the user in apache group:

useradd m3dian -g www-data

in sshd_config:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match User m3dian
    ChrootDirectory /home/www/htdocs/m3dian/html
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

I restarted ssh...

But when I try to connect with fileZilla I have the following error: Connection reset by peer.

And in ssh logs:

fatal: bad ownership or modes for chroot directory component /home/www

# ls /home -l
drwxr-xr-x  6 www-data www-data  4096 mai   18  2016 www

/home/www is the Apache directory.

Is it possible to configure the rights to keep www-data as owner of /home/www (and the sub directories) and allow m3dian to Chroot to /home/www/htdocs/m3dian/html ?

Thx

Paul

Posted 2019-04-17T10:11:20.090

Reputation: 101

Answers

0

This is probably too late and you've either found the solution or approached the problem from another direction, but it might help you or someone else.

I have been setting up a chroot SFTP environment and I found this link: Configure an sftp chroot environment It is based on an AIX system, but I think the statement "Create a directory to hold all the chrooted users. This directory must be owned by root and have 700 permissions. This is a requirement of sftp-server for chrooted users even if there is only one user." may be relevant to all implementations of sftp-server.

I had created my user accounts in /home which has permissions of bin:bin, and I was having the same problem as you described.
Following the link's instructions, I:

  • Created a /sftproot directory, owned by root and in the system group, with 755 (u=rwx,go=rx) permissions
  • Created a group named sftpgrp
  • Created subdirectories within /sftproot for each user, owned by root and in the sftpgrp group, with 750 (u=rwx,g=rx,o=) permissions
  • Amended my user accounts to change the home location to /sftproot/<user>

... and, Hey Presto!, it worked.

Now all I need to do is work out is whether I can get these accounts to access files that are located outside their chroot home directories, this is what happens if you have a wide-open SFTP solution and then later need to lock down some users, but this is for a different post.

I hope this helps.


Edit with warning

This did not work when I was testing and we had to abandon this approach, see my SE posting here.
It may work on other versions of operating system or openssh, but not on mine, which is AIX 6.1.0.0 and openssh.base version 5.8.0.6101.

Nick Clifton

Posted 2019-04-17T10:11:20.090

Reputation: 39

Asked: 2019-04-17T10:11:20.090

Viewed: 119 times

Active: 2019-11-07T14:59:06.573