2

I'm trying to allow a user "user" to access my server by either sftp or ssh. I want to jail them into a directory with chroot. I read the instructions here however it does not work. I did the following:

  1. useradd user

  2. modify /etc/ssh/sshd_config and added

    Match User user

    ForceCommand internal-sftp

    ChrootDirectory /home/duke/aa/smart to the bottom of the file

  3. changed the subsystem line to Subsystem sftp internal-sftp

  4. restarted sshd with /etc/init.d/ssh restart

  5. logged in with ssh as user "user" with PuTTY

Putty says "Server unexpectly closed the connection".

Why is this and how can it be fixed?

EDIT

Following the suggestions below, I've made the bottom of sshd_config look like:

Match User user
   ChrootDirectory /tmp

yet no change. I do get a password OK but I cannot connect via ssh nor sftp. What gives?

Improve this question
3
  • If you use ForceCommand, then you can't use ssh to connect. You can only connect via sftp. Were you connecting with sftp, and wrote the wrong thing for step 5?
    – Zoredache
    Commented Oct 8, 2012 at 20:18
  • @Zoredache I cannot connect with sftp nor ssh
    – dukevin
    Commented Oct 8, 2012 at 22:02
  • See my response in this: serverfault.com/questions/265185/…
    – Frands Hansen
    Commented Oct 8, 2012 at 22:19

4 Answers 4

Reset to default
1

The directory that you set as your chroot must be owned by root and have 755 permissions.

This is what I use for my setup

Match user sftpuser
 ChrootDirectory /home/sftpuser
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

in /home

drwxr-xr-x   5 root    users 4096 Jan 29 10:31 sftpuser

in /home/sftpuser

drwx------ 2 sftpuser users 4096 Jan 29 10:52 sftpuser

This chroot's them to the /home/sftpuser directory, but since they have no permission to write into it I create the second sftpuser directory for them to write to.

Improve this answer
0

I think the problem is in ChrootDirectory /home/duke/aa/smart. The problem is related to permissions. The user through which you are trying to log into the box doesnot have the executable permission I think. Can you once try changing this to some directory like /tmp where every user has full permission.

Improve this answer
5
  • I have tried this but no change. What could be the problem?
    – dukevin
    Commented Oct 8, 2012 at 22:15
  • Can u tried sshing using increased verbosity option. You can try the ssh with -v option of verbosity and find out where it is failing.
    – pradeepchhetri
    Commented Oct 9, 2012 at 4:47
  • @KevinDuke: Can you check the logs of server /var/log/secure once. Is there any kind of clue that you can get there.
    – pradeepchhetri
    Commented Oct 9, 2012 at 4:48
  • root@Rx:~# ssh -V OpenSSH_5.5p1 Debian-6+squeeze2, OpenSSL 0.9.8o 01 Jun 2010 /var/log/secure: No such file or directory
    – dukevin
    Commented Oct 9, 2012 at 4:49
  • @KevinDuke: I mean you need to ssh into the server from linux client using the command: ssh -v user@serverip. Note the v is small letter not the capital letter.
    – pradeepchhetri
    Commented Oct 9, 2012 at 9:44
0

Check your /var/log/auth.log for ssh errors.

It's probably a permissions error. The chroot directory must be owned by root.

FYI, my working config looks like this (I prefer using group access instead of user access):

Subsystem       sftp    internal-sftp

AllowGroups sshusers sftponly

Match group sftponly
  ChrootDirectory %h
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
Improve this answer
0

SSHD is very strict about chroot permissions; I found a solution that worked for me here. Essentially, the ChrootDirectory and all of its parent directories need to be owned by root and have 755 permissions. You can get the permissions using the command namei -l /path/to/chrootdirectory. In my case, /tmp has 777 permissions, so I was getting a client_loop: send disconnect: Broken pipe error when trying to connect. I moved the chroot to /opt/chrootjail and it started working.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .