LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   CentOS 6.3 sftp chroot jail (http://www.linuxquestions.org/questions/linux-security-4/centos-6-3-sftp-chroot-jail-4175427300/)

CHIadam 09-14-2012 03:12 PM

CentOS 6.3 sftp chroot jail
 
Hello,

Looking for some advice here as I am stuck.

This is what I have done thus far:

#groupadd sftponly
# useradd -d /home/sftpuser/user1 -s /bin/false -G sftponly user1

In /etc/ssh/sshd_config

I commented out:
Subsystem sftp /usr/lib/openssh/sftp-server

Then I entered this below it:
Subsystem sftp internal-sftp

Then on the bottom of the file, I entered this:

Match Group sftponly
ChrootDirectory /home/sftpuser/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp


From my understanding, the root directory of the chroot jail (not accessable / writeable) would be /home/sftpuser correct?

Here are my file permissions:

drwxr-xr-x. 3 root root 4096 Sep 14 09:11 sftpuser
drwx------. 2 user1 user1 4096 Sep 14 09:11 user1

When I test with Filezilla from my windows machine i get this:

Status: Connecting to 10.2030.178...
Response: fzSftp started
Command: open "user1@10.2030.178" 22
Error: ssh_init: Host does not exist
Error: Could not connect to server

Can someone please offer some guidance? First time building a production sftp server, it was fun at first :-)

acid_kewpie 09-14-2012 03:20 PM

Error: ssh_init: Host does not exist

This sounds very clear... can you ping that IP from the client? can you telnet to port 22 on the server from that client?

CHIadam 09-14-2012 03:28 PM

Quote:

Originally Posted by acid_kewpie (Post 4780572)
Error: ssh_init: Host does not exist

This sounds very clear... can you ping that IP from the client? can you telnet to port 22 on the server from that client?

- 10.20.30.178 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms

#telnet 10.20.30.178 22
Trying 10.20.30.178...
Connected to 10.20.30.178 (10.20.30.178).
Escape character is '^]'.
SSH-2.0-OpenSSH_5.3
?
Protocol mismatch.
Connection closed by foreign host.

seems like telnet connected, however shouldnt I not get closed when i type ? then hit enter? Whats a good command to type when a telnet connection is open?

acid_kewpie 09-14-2012 03:50 PM

OOOOHHHHHHHHH....

you missed a "." out in the IP... 10.2030.178. that's *not* a typo just here, right?

CHIadam 09-14-2012 03:54 PM

Quote:

Originally Posted by acid_kewpie (Post 4780592)
OOOOHHHHHHHHH....

you missed a "." out in the IP... 10.2030.178. that's *not* a typo just here, right?

Oops! corrected that mistake and got the error I was getting all day:

Response: fzSftp started
Command: open "user1@10.20.30.178" 22
Command: Pass: ************
Error: Network error: Software caused connection abort
Error: Could not connect to server

acid_kewpie 09-14-2012 03:55 PM

ahh, ok that sounds better, so anything fun in /var/log/secure on the server?

CHIadam 09-14-2012 03:55 PM

Ill check out the /var/log/secure in a moment, here is another piece of the puzzle;

#sftp user1@10.20.30.178

user1@10.20.30.178's password:
Read from remote host 10.20.30.178: Connection reset by peer
Couldn't read packet: Connection reset by peer

CHIadam 09-14-2012 03:59 PM

looks like its permissions.. I'll take a stab at this again on Monday:

Sep 14 10:43:46 sftp sshd[2220]: Accepted password for user1 from 10.20.30.120 port 43039 ssh2
Sep 14 10:43:46 sftp sshd[2220]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Sep 14 10:43:46 sftp sshd[2225]: fatal: bad ownership or modes for chroot directory "/home/sftpuser/user1"
Sep 14 10:43:46 sftp sshd[2220]: pam_unix(sshd:session): session closed for user user1

Thanks for the tip!

CHIadam 09-17-2012 03:20 PM

Match Group sftponly
ChrootDirectory /home/sftpuser/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

when I sftp from another box into the sftp server, this is what I get:

sftp> lpwd
Local working directory: /root
sftp>

Not sure if I got the permissions right.. I basically chown'd sftpuser and user1 to root:root and chown'd uploads to user1:user1

drwx------. 3 root root 4096 Sep 17 09:53 sftpuser
drwxr-xr-x. 3 root root 4096 Sep 17 09:53 user1
drwxr-xr-x. 2 user1 user1 4096 Sep 17 09:53 uploads

2 questions:

1) Is there something else I am missing (permissions?, etc)?

2) Chroot directory is: /home/sftpuser/%u
This means that the user cant go back to sftpuser nor his home folder.. only can "work" in uploads right? Shouldnt sftpuser and user1 be owned by root?

acid_kewpie 09-17-2012 04:33 PM

what's all this uid=0 stuff? You've not created a second account wit roots uid have you??

it makes an utter mockery of the solution by letting root log in in some half arsed way, the user1 directory should be owned by user1, who should have a unique uid of at least 500, and a group to match or a "users" group.

CHIadam 09-19-2012 12:32 PM

Quote:

Originally Posted by acid_kewpie (Post 4782676)
what's all this uid=0 stuff? You've not created a second account wit roots uid have you??

it makes an utter mockery of the solution by letting root log in in some half arsed way, the user1 directory should be owned by user1, who should have a unique uid of at least 500, and a group to match or a "users" group.

Filezilla is stating:

Response: fzSftp started
Command: open "user1@10.20.30.178" 22
Command: Pass: *******
Status: Connected to 10.20.30.178
Status: Retrieving directory listing...
Command: pwd
Response: Current directory is: "/"
Command: ls
Status: Listing directory /
Error: Unable to open .: permission denied
Error: Connection timed out
Error: Failed to retrieve directory listing



Not really sure why tail -f /var/log/secure is stating uid=0:

Sep 19 07:13:49 sftp sshd[1987]: Accepted password for user1 from 10.20.30.172 port 57096 ssh2
Sep 19 07:13:49 sftp sshd[1987]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Sep 19 07:13:49 sftp sshd[1991]: subsystem request for sftp
Sep 19 07:14:09 sftp sshd[1987]: pam_unix(sshd:session): session closed for user user1

When:
[root@sftp ~]# id -u user1
500

CHIadam 09-19-2012 12:36 PM

I chown the user 1 directory user1:user1 user1


Sep 19 07:21:12 sftp sshd[2035]: Accepted password for user1 from 10.20.30.172 port 57287 ssh2
Sep 19 07:21:12 sftp sshd[2035]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Sep 19 07:21:12 sftp sshd[2039]: fatal: bad ownership or modes for chroot directory "/home/sftpuser/user1"
Sep 19 07:21:12 sftp sshd[2035]: pam_unix(sshd:session): session closed for user user1

I guess I'll have to start digging into the internet / man pages more for permissions for this scenario.. couldnt find much before

acid_kewpie 09-19-2012 12:55 PM

So what ARE the modes and ownership?

CHIadam 09-19-2012 01:04 PM

[root@sftp user1]# ls -lishad /home/sftpuser/user1
1048581 4.0K drwxr-xr-x. 3 root sftponly 4.0K Sep 17 09:53 /home/sftpuser/user1

[root@sftp user1]# ls -lishad /home/sftpuser/user1/uploads
1048582 4.0K drwxr-xr-x. 2 user1 sftponly 4.0K Sep 17 09:53 /home/sftpuser/user1/uploads



ChrootDirectory /home/sftpuser/%u


I got the permissions I just adjusted from another fellows website who had an earlier version of Centos... figured i'd give it a shot

CHIadam 09-19-2012 01:55 PM

Ok I think I may have gotten somewhere:



[root@X home]# chown root:root /home
[root@X home]# chmod 755 /home
[root@X home]# useradd user1
[root@X home]# usermod -g sftponly user1
[root@X home]# usermod -s /bin/false user1
[root@X home]# usermod -d /home/user1 user1
usermod: no changes
passwd: all authentication tokens updated successfully.
[root@X home]# chmod 755 /home/user1
[root@X home]# chown root:root /home/user1
[root@X home]# mkdir /home/user1/upload
[root@X home]# chown user1:sftponly /home/user1/upload


Match Group sftponly
ChrootDirectory /home/%u
AllowTCPForwarding no
ForceCommand internal-sftp

[root@X home]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]


however when I sftp from another box I get this:
sftp> lpwd
Local working directory: /root
This is confusing too.. it let me list the /root contents
sftp> lls
anaconda-ks.cfg install.log.syslog
IBM_Informix_Software_Bundle_InstallLog.log multicast-listener-v2

Then when I do this, I get this!:
sftp> ls -l
drwxr-xr-x 2 500 503 4096 Sep 19 13:26 upload
sftp>

Filezilla brings me right into the upload folder, which I cant upload a test.txt file to due to permissions error.. I can sort that out.. however whats with the sftp saying my local working directory is /root.. is that because its acutally /user1 but chroot? I'm not supposed to be able to list /roots contents though.. anyone have a better approach to this? I feel like im close.


All times are GMT -5. The time now is 02:34 AM.