|
CentOS 6.3 sftp chroot jail
Hello,
Looking for some advice here as I am stuck. This is what I have done thus far: #groupadd sftponly # useradd -d /home/sftpuser/user1 -s /bin/false -G sftponly user1 In /etc/ssh/sshd_config I commented out: Subsystem sftp /usr/lib/openssh/sftp-server Then I entered this below it: Subsystem sftp internal-sftp Then on the bottom of the file, I entered this: Match Group sftponly ChrootDirectory /home/sftpuser/%u X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp From my understanding, the root directory of the chroot jail (not accessable / writeable) would be /home/sftpuser correct? Here are my file permissions: drwxr-xr-x. 3 root root 4096 Sep 14 09:11 sftpuser drwx------. 2 user1 user1 4096 Sep 14 09:11 user1 When I test with Filezilla from my windows machine i get this: Status: Connecting to 10.2030.178... Response: fzSftp started Command: open "user1@10.2030.178" 22 Error: ssh_init: Host does not exist Error: Could not connect to server Can someone please offer some guidance? First time building a production sftp server, it was fun at first :-) |
Error: ssh_init: Host does not exist
This sounds very clear... can you ping that IP from the client? can you telnet to port 22 on the server from that client? |
Quote:
2 packets transmitted, 2 received, 0% packet loss, time 1000ms #telnet 10.20.30.178 22 Trying 10.20.30.178... Connected to 10.20.30.178 (10.20.30.178). Escape character is '^]'. SSH-2.0-OpenSSH_5.3 ? Protocol mismatch. Connection closed by foreign host. seems like telnet connected, however shouldnt I not get closed when i type ? then hit enter? Whats a good command to type when a telnet connection is open? |
OOOOHHHHHHHHH....
you missed a "." out in the IP... 10.2030.178. that's *not* a typo just here, right? |
Quote:
Response: fzSftp started Command: open "user1@10.20.30.178" 22 Command: Pass: ************ Error: Network error: Software caused connection abort Error: Could not connect to server |
ahh, ok that sounds better, so anything fun in /var/log/secure on the server?
|
Ill check out the /var/log/secure in a moment, here is another piece of the puzzle;
#sftp user1@10.20.30.178 user1@10.20.30.178's password: Read from remote host 10.20.30.178: Connection reset by peer Couldn't read packet: Connection reset by peer |
looks like its permissions.. I'll take a stab at this again on Monday:
Sep 14 10:43:46 sftp sshd[2220]: Accepted password for user1 from 10.20.30.120 port 43039 ssh2 Sep 14 10:43:46 sftp sshd[2220]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 14 10:43:46 sftp sshd[2225]: fatal: bad ownership or modes for chroot directory "/home/sftpuser/user1" Sep 14 10:43:46 sftp sshd[2220]: pam_unix(sshd:session): session closed for user user1 Thanks for the tip! |
Match Group sftponly
ChrootDirectory /home/sftpuser/%u X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp when I sftp from another box into the sftp server, this is what I get: sftp> lpwd Local working directory: /root sftp> Not sure if I got the permissions right.. I basically chown'd sftpuser and user1 to root:root and chown'd uploads to user1:user1 drwx------. 3 root root 4096 Sep 17 09:53 sftpuser drwxr-xr-x. 3 root root 4096 Sep 17 09:53 user1 drwxr-xr-x. 2 user1 user1 4096 Sep 17 09:53 uploads 2 questions: 1) Is there something else I am missing (permissions?, etc)? 2) Chroot directory is: /home/sftpuser/%u This means that the user cant go back to sftpuser nor his home folder.. only can "work" in uploads right? Shouldnt sftpuser and user1 be owned by root? |
what's all this uid=0 stuff? You've not created a second account wit roots uid have you??
it makes an utter mockery of the solution by letting root log in in some half arsed way, the user1 directory should be owned by user1, who should have a unique uid of at least 500, and a group to match or a "users" group. |
Quote:
Response: fzSftp started Command: open "user1@10.20.30.178" 22 Command: Pass: ******* Status: Connected to 10.20.30.178 Status: Retrieving directory listing... Command: pwd Response: Current directory is: "/" Command: ls Status: Listing directory / Error: Unable to open .: permission denied Error: Connection timed out Error: Failed to retrieve directory listing Not really sure why tail -f /var/log/secure is stating uid=0: Sep 19 07:13:49 sftp sshd[1987]: Accepted password for user1 from 10.20.30.172 port 57096 ssh2 Sep 19 07:13:49 sftp sshd[1987]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 19 07:13:49 sftp sshd[1991]: subsystem request for sftp Sep 19 07:14:09 sftp sshd[1987]: pam_unix(sshd:session): session closed for user user1 When: [root@sftp ~]# id -u user1 500 |
I chown the user 1 directory user1:user1 user1
Sep 19 07:21:12 sftp sshd[2035]: Accepted password for user1 from 10.20.30.172 port 57287 ssh2 Sep 19 07:21:12 sftp sshd[2035]: pam_unix(sshd:session): session opened for user user1 by (uid=0) Sep 19 07:21:12 sftp sshd[2039]: fatal: bad ownership or modes for chroot directory "/home/sftpuser/user1" Sep 19 07:21:12 sftp sshd[2035]: pam_unix(sshd:session): session closed for user user1 I guess I'll have to start digging into the internet / man pages more for permissions for this scenario.. couldnt find much before |
So what ARE the modes and ownership?
|
[root@sftp user1]# ls -lishad /home/sftpuser/user1
1048581 4.0K drwxr-xr-x. 3 root sftponly 4.0K Sep 17 09:53 /home/sftpuser/user1 [root@sftp user1]# ls -lishad /home/sftpuser/user1/uploads 1048582 4.0K drwxr-xr-x. 2 user1 sftponly 4.0K Sep 17 09:53 /home/sftpuser/user1/uploads ChrootDirectory /home/sftpuser/%u I got the permissions I just adjusted from another fellows website who had an earlier version of Centos... figured i'd give it a shot |
Ok I think I may have gotten somewhere:
[root@X home]# chown root:root /home [root@X home]# chmod 755 /home [root@X home]# useradd user1 [root@X home]# usermod -g sftponly user1 [root@X home]# usermod -s /bin/false user1 [root@X home]# usermod -d /home/user1 user1 usermod: no changes passwd: all authentication tokens updated successfully. [root@X home]# chmod 755 /home/user1 [root@X home]# chown root:root /home/user1 [root@X home]# mkdir /home/user1/upload [root@X home]# chown user1:sftponly /home/user1/upload Match Group sftponly ChrootDirectory /home/%u AllowTCPForwarding no ForceCommand internal-sftp [root@X home]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] however when I sftp from another box I get this: sftp> lpwd Local working directory: /root This is confusing too.. it let me list the /root contents sftp> lls anaconda-ks.cfg install.log.syslog IBM_Informix_Software_Bundle_InstallLog.log multicast-listener-v2 Then when I do this, I get this!: sftp> ls -l drwxr-xr-x 2 500 503 4096 Sep 19 13:26 upload sftp> Filezilla brings me right into the upload folder, which I cant upload a test.txt file to due to permissions error.. I can sort that out.. however whats with the sftp saying my local working directory is /root.. is that because its acutally /user1 but chroot? I'm not supposed to be able to list /roots contents though.. anyone have a better approach to this? I feel like im close. |
| All times are GMT -5. The time now is 07:02 PM. |