Ssh – sftp chroot access via SSH

chrootssh

I have this setup in sshd_config:

AllowUsers test1 test2

Match group sftpgroup
         ChrootDirectory /var/www
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

Match user test2
         ChrootDirectory /var/www/somedomain.dk
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

I am trying to restrict test2 to only use /var/www/somedomain.dk

For some reason when I try to login e.g. with Filezilla on account test2 I get this error: "Server unexpectedly closed network connection"

The users are created and works. the SSH service has been stopped and started. test1 works when using e.g. filezilla and the root of the connection is /var/www. What am I doing wrong?

Best Answer

If the answer Cudos supplied does not help you, and I dont think it will (no offense), try this:

chown root:root /your/chroot/home
chmod 700 /your/chroot/home
chown user:sftpgroup /your/chroot/home/userdir
chmod 755 /your/chroot/home/userdir

remember: your users wont be able to write in their "root", you need to create a directory for them to use.

Related Solutions

Linux – Creating multiple SFTP users for one account

Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).

Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).

We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:

setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
  group:admin:rwx,  user:www-data:r-x,  user:$USERNAME:rwx,  group:$USERNAME:rwx \
/home/$USERNAME/

This does the following:

Gives group admin (for us, the hosting providers) rwx
Gives user www-data (Apache) r-x to the files*
Gives user $USERNAME rwx to the files
Gives group $USERNAME rwx to the files

This setup appears to be working well for us, but we are open to any suggestions for doing it better.

_{* we use suexec for CGI/PHP running as the customer account}

SSH – SFTP/SCP only + additional command running in background

if the problem you are having is people trying to brute force their way in, try changing the port that your sftp server is on. People generally only spam port 22.

Best Answer

Related Solutions

Linux – Creating multiple SFTP users for one account

SSH – SFTP/SCP only + additional command running in background

Related Topic