Ssh – SFTP – couldnt read packet: connection reset py peer

debianjailsftpssh

I have setup SFTP on our development box and would like to jail users into the /var/www/project folder

I have added the following to /etc/ssh/sshd_config

Match Group developers
    ChrootDirectory /var/www/project
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand /usr/lib/openssh/sftp-server

When I attempt to SFTP in, I receive error

Couldnt read packet: connection reset by peer

I thought that this might be a permissions issues, Ive chmod /usr/lib/openssh/sftp-server to 755 – still no luck

Any suggestions?

Best Answer

sorry i can't comment, so i have to answer directly.

the permissions with the build-in chroot system is a little bit tricky, i use the same method to create sftp only users:

part of my sshd_config:

Match group developers
    ChrootDirectory /home/%u/userdata

where %u matches every username here

assuming the following path

/home/developername/datadirectory/upload

permissions:

developername root:root rwxr-xr-x
datadirectory root:root rwxr-xr-x
upload developername:developers rwx------

if a user logs the directroy listing of / shows "upload"

Related Solutions

Linux – Creating multiple SFTP users for one account

Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).

Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).

We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:

setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
  group:admin:rwx,  user:www-data:r-x,  user:$USERNAME:rwx,  group:$USERNAME:rwx \
/home/$USERNAME/

This does the following:

Gives group admin (for us, the hosting providers) rwx
Gives user www-data (Apache) r-x to the files*
Gives user $USERNAME rwx to the files
Gives group $USERNAME rwx to the files

This setup appears to be working well for us, but we are open to any suggestions for doing it better.

_{* we use suexec for CGI/PHP running as the customer account}

SFTP Error – Connection Reset by Peer: Troubleshooting

You could use proftpd which offers a SFTP frontend. This way you can unite SFTP, FTP and FTP/S in one daemon. However you cannot use port 22 for SFTP or you'll have to give up on SSH on that port since proftpd and sshd cannot bind the same ports for SFTP.

Best Answer

Related Solutions

Linux – Creating multiple SFTP users for one account

SFTP Error – Connection Reset by Peer: Troubleshooting

Related Topic