Scponly worked but didn’t chroot the home folder, the user can still browse the entire server

So I followed the "Chroot and Debian" tutorial in http://sublimation.org/scponly/wiki/index.php/FAQ

Then when I log into user "upload" via ssh I have no access to the command line (this is what I wanted).

But then when I SFTP into the upload user I can still see all the root files (/), it didn't chroot me to just /home/upload whats going on?

….

I added this to the end of my /etc/ssh/sshd_config file, then done a restart

Subsystem sftp internal-sftp

UsePAM yes

Match User upload
    ChrootDirectory /home/upload
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Then when I log into sftp I can only see my upload folder (this is what I want), but now scp doesn't work 😛

SCP will accept my password then:

debug1: Next authentication method: password
upload@10.10.10.2's password: 
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_NZ.UTF-8
debug1: Sending command: scp -v -t /test

It will hang on that last debug message.

Any help would be greatly appreciated.

Note, running Debian Lenny

Best Answer

You are not using scponly here. You have restricted the user upload to using SFTP, so you can't use scp on that account since scp relies on an interactive shell or at least a shell which supports certain commands (like scponly or rssh).

Use sftp or another SFTP client (e. g. lftp) to access that account or remove the ForceCommand and ChrootDirectory directives from your sshd_config.

Best Answer

Related Solutions

Ubuntu – SFTP Fatal Bad Ownership or Modes for Chroot Directory

Ssh – OpenSSH anything like ‘internal-sftp’ but for SCP

Related Topic