Linux – Allowing Both SFTP and SSH with Chrooted Directory

linuxsftpssh

I am attempting to set up a user with SFTP access and limited SSH access. Therefore, I've chrooted the user and then set it up basically exactly as specified in this tutorial. However, while I can ssh into the server successfully, when I attempt to connect via an SFTP connection, it simply says Connection Failed.

Research and attempted fixes

I have attempted searching for anything that can explain how to do this however I could only find this topic which did not have any answers. In addition, there were no articles online that I could find that showed how this could be done.

I also tried copying the entire /bin and entire /lib folder into the chrooted directory in order to ensure that there wasn't any missing commands that may be causing it to fail. Looking at /var/log/auth.log yielded no results including as the only log was that the connection was closed by the user including when I set LogLevel Debug2 in /etc/ssh/sshd_config. Attempting to connect using an SCP connection in WinSCP allows me to see the files, however I can't copy anything to my local drive or vice versa

SSHD Config File (relevant section):

Match User test_user
    ChrootDirectory /home/test_user

Best Answer

Eventually I found the jailkit tool which is designed to automate the jailing of users rather than doing it manually which I originally was attempting to do.

To set up the chrooted directory, I used the following steps

Installation (on Ubuntu) Installation from source can be found here

sudo apt install jailkit

Directory Setup

A list of various packages to allow access to can be found at /etc/jailkit/jk_init.ini. I also installed git this way after I had set it up

sudo chown root:root /srv/test_user
sudo jk_init -v /srv/test_user netutils basicshell jk_lsh openvpn ssh sftp

General format below

sudo chown root:root <chroot_directory>
sudo jk_init -v <chroot_directory> <packages>

Jailing the user

sudo jk_jailuser -m -j /srv/test_user test_user

Changing shell

Finally the shell specified in <chroot_directory>/etc/passwd should be changed from /usr/sbin/jk_lsh to /bin/bash. Note there should only be the entries for test_user, root and possibly one other login

From there, you can log in via ssh or sftp/scp and access everything as expected. Note that to log in via public key, you will need to set up the ~/.ssh/authorized_keys file

Related Solutions

Ssh – OpenSSH SFTP: chrooted user with access to other chrooted users’ files

Create a new home directory, such as /chroothome.

Have all users home directories live within that chroothome.

chroot adminuser to /chroothome.

For everything else, just use filesystem permissions.

As far as your "bonus question," it isn't possible using native functionality. The inability for the chroot user to write to the root directory is a security mechanism by design. Of course, you can always modify the source code.

Nevertheless, I suspect you could specify the user's home directory as /user1 and have the working directory at login be the one they could write to.

Linux – Can’t get Passwordless (SSH provided) SFTP working

First off, the home directories in /etc/passwd should reflect the un-chrooted paths, or you'll run into problems in general. In this case, sshd checks for authorized keys before it chroots, so it needs to find them using an un-chrooted path. That's why your first try doesn't work.

Second thing to note: Under your first setup, when david logs in he starts in /var/chroot-home/david, but he is actually chrooted to /var/chroot-home, meaning if he types cd .. he can see all of the other home dirs (although not their contents, if permissions are correct). This might or might not be a problem for you, but it's a good thing to be aware of.

If the above is fine with you, you can use your first sshd_config, set david's home dir to /var/chroot-home/david in the passwd file, and add the following symlink so that david still starts in his home directory:

cd /var/chroot-home
mkdir var
ln -s .. var/chroot-home

That symbolic link will make sure that you can reach a home directory using the same path whether or not you are in the chroot.

However, if you don't want the clients to see the names of each other's home directories, you need to chroot into the home directory itself, as in your second solution. But as you've seen, sshd doesn't like that (because for various subtle reasons, it's dangerous to give a user write access to the root of a filesystem). Sadly, you're mostly out of luck here. One (kludgy) solution to this is to create a files/ subdirectory in each home directory and give the client write access to that instead.

Another option might be to chroot to /var/chroot-home anyway, and name the home directories differently, e.g. using the user ID number instead of the name.

Best Answer

Related Solutions

Ssh – OpenSSH SFTP: chrooted user with access to other chrooted users’ files

Linux – Can’t get Passwordless (SSH provided) SFTP working

Related Topic