SFTP ChRoot result in broken pipe

I have a website that I want to add some restricted access to a sub-folder. For this, I've decided to use CHROOT with SFTP (I mostly followed this link : http://shapeshed.com/chroot_sftp_users_on_ubuntu_intrepid/)

For now, I've created a user (sio2104) and a group (magento).After following the guide, my folder list look like this :

-rw-r--r--  1 root root       27 2012-02-01 14:23 index.html
-rw-r--r--  1 root root       21 2012-02-01 14:24 info.php
drwx------ 15 root root     4096 2012-02-25 00:31 magento

As you can see, i've chown root:root the folder magento I wanted to jail-in the user and ...everything else by the way. Also in the magento folder, I chown sio2104:magento everything so they can access what they want. Finally, I've added this to sshd_config file :

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group magento
        ChrootDirectory /usr/share/nginx/www/magento
        ForceCommand internal-sftp
        AllowTCPForwarding no
        X11Forwarding no
        PasswordAuthentication yes

#UsePAM yes

And the result is...well, I can enter my login, password and it's all finished with a "broken pipe" error.

$ sftp sio2104@10.20.0.50
[....some debug....]
sio2104@10.20.0.50's password: 
debug1: Authentication succeeded (password).
Authenticated to 10.20.0.50 ([10.20.0.50]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
Connection closed

Verbose mode gives nothing to help. Anyone have an idea of what I've done wrong? If I try to login with ssh or sftp with my personnal user, everything works fine.

Patrick Pruneau

Posted 2012-02-26T20:22:10.813

Reputation: 265

What version of OpenSSH is the server running? – Cristian Ciupitu – 2015-06-11T12:05:27.757

1Typical issue: all parent directories must be owned by root and only the user may have write permissions. See also output of /var/log/auth.log. – koppor – 2015-11-15T20:12:05.960

1What does the OpenSSH server log say? – gertvdijk – 2012-12-20T00:35:05.337

Answers

I had the same problem.

The chroot-dir must be set to owner root and group root. (chown root:root chroot-dir)

AbstractError

Posted 2012-02-26T20:22:10.813

Reputation: 41

It is. The chroot-dir is magento. And as it said in the tutorial, I've remove right to everyone....maybe that's where I made an error? – Patrick Pruneau – 2012-03-02T18:38:34.810

If it were a permissions error, you would not be able to get past authentication. You are getting past authentication, so something else is preventing your session from starting. What is your Match block from sshd_config? – UtahJarhead – 2012-10-18T13:06:04.013

Try having your default directory different to chroot directory.

I have set /home/ftpman as my default directory.

vi /etc/passwd

..
ftpman:x:1001:1002::/home/ftpman:/bin/bash

and

ls -la /home

...
drwxr-xr-x  5 ftpman sftponly 4096 Jun 25 11:56 ftpman

Then I have chroot directory set to /. And it works for me

vi /etc/ssh/sshd_config

...
Match Group sftponly
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /
  ForceCommand internal-sftp

GabrielC

Posted 2012-02-26T20:22:10.813

Reputation: 141

3There's practically no chroot in your answer. – Cristian Ciupitu – 2015-06-11T12:04:30.170

I'm not 100% sure on this, but as far as I understand the chroot process, SSHd will fork as your user first, then tries to chroot. This will obviously fail as the directory can't be accessed being sio2104 on the system.

Try loosening up the filesystem permission on the magento folder (chmod o+rx).

gertvdijk

Posted 2012-02-26T20:22:10.813

Reputation: 3 396