LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-14-2012, 03:12 PM   #1
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Rep: Reputation: Disabled
CentOS 6.3 sftp chroot jail


Hello,

Looking for some advice here as I am stuck.

This is what I have done thus far:

#groupadd sftponly
# useradd -d /home/sftpuser/user1 -s /bin/false -G sftponly user1

In /etc/ssh/sshd_config

I commented out:
Subsystem sftp /usr/lib/openssh/sftp-server

Then I entered this below it:
Subsystem sftp internal-sftp

Then on the bottom of the file, I entered this:

Match Group sftponly
ChrootDirectory /home/sftpuser/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp


From my understanding, the root directory of the chroot jail (not accessable / writeable) would be /home/sftpuser correct?

Here are my file permissions:

drwxr-xr-x. 3 root root 4096 Sep 14 09:11 sftpuser
drwx------. 2 user1 user1 4096 Sep 14 09:11 user1

When I test with Filezilla from my windows machine i get this:

Status: Connecting to 10.2030.178...
Response: fzSftp started
Command: open "user1@10.2030.178" 22
Error: ssh_init: Host does not exist
Error: Could not connect to server

Can someone please offer some guidance? First time building a production sftp server, it was fun at first :-)

Last edited by CHIadam; 09-17-2012 at 07:47 AM.
 
Old 09-14-2012, 03:20 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
Error: ssh_init: Host does not exist

This sounds very clear... can you ping that IP from the client? can you telnet to port 22 on the server from that client?
 
Old 09-14-2012, 03:28 PM   #3
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Error: ssh_init: Host does not exist

This sounds very clear... can you ping that IP from the client? can you telnet to port 22 on the server from that client?
- 10.20.30.178 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms

#telnet 10.20.30.178 22
Trying 10.20.30.178...
Connected to 10.20.30.178 (10.20.30.178).
Escape character is '^]'.
SSH-2.0-OpenSSH_5.3
?
Protocol mismatch.
Connection closed by foreign host.

seems like telnet connected, however shouldnt I not get closed when i type ? then hit enter? Whats a good command to type when a telnet connection is open?
 
Old 09-14-2012, 03:50 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
OOOOHHHHHHHHH....

you missed a "." out in the IP... 10.2030.178. that's *not* a typo just here, right?
 
Old 09-14-2012, 03:54 PM   #5
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
OOOOHHHHHHHHH....

you missed a "." out in the IP... 10.2030.178. that's *not* a typo just here, right?
Oops! corrected that mistake and got the error I was getting all day:

Response: fzSftp started
Command: open "user1@10.20.30.178" 22
Command: Pass: ************
Error: Network error: Software caused connection abort
Error: Could not connect to server
 
Old 09-14-2012, 03:55 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
ahh, ok that sounds better, so anything fun in /var/log/secure on the server?
 
Old 09-14-2012, 03:55 PM   #7
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Ill check out the /var/log/secure in a moment, here is another piece of the puzzle;

#sftp user1@10.20.30.178

user1@10.20.30.178's password:
Read from remote host 10.20.30.178: Connection reset by peer
Couldn't read packet: Connection reset by peer

Last edited by CHIadam; 09-14-2012 at 03:57 PM.
 
Old 09-14-2012, 03:59 PM   #8
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
looks like its permissions.. I'll take a stab at this again on Monday:

Sep 14 10:43:46 sftp sshd[2220]: Accepted password for user1 from 10.20.30.120 port 43039 ssh2
Sep 14 10:43:46 sftp sshd[2220]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Sep 14 10:43:46 sftp sshd[2225]: fatal: bad ownership or modes for chroot directory "/home/sftpuser/user1"
Sep 14 10:43:46 sftp sshd[2220]: pam_unix(sshd:session): session closed for user user1

Thanks for the tip!

Last edited by CHIadam; 09-19-2012 at 12:21 PM.
 
Old 09-17-2012, 03:20 PM   #9
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Match Group sftponly
ChrootDirectory /home/sftpuser/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

when I sftp from another box into the sftp server, this is what I get:

sftp> lpwd
Local working directory: /root
sftp>

Not sure if I got the permissions right.. I basically chown'd sftpuser and user1 to root:root and chown'd uploads to user1:user1

drwx------. 3 root root 4096 Sep 17 09:53 sftpuser
drwxr-xr-x. 3 root root 4096 Sep 17 09:53 user1
drwxr-xr-x. 2 user1 user1 4096 Sep 17 09:53 uploads

2 questions:

1) Is there something else I am missing (permissions?, etc)?

2) Chroot directory is: /home/sftpuser/%u
This means that the user cant go back to sftpuser nor his home folder.. only can "work" in uploads right? Shouldnt sftpuser and user1 be owned by root?
 
Old 09-17-2012, 04:33 PM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
what's all this uid=0 stuff? You've not created a second account wit roots uid have you??

it makes an utter mockery of the solution by letting root log in in some half arsed way, the user1 directory should be owned by user1, who should have a unique uid of at least 500, and a group to match or a "users" group.
 
Old 09-19-2012, 12:32 PM   #11
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
what's all this uid=0 stuff? You've not created a second account wit roots uid have you??

it makes an utter mockery of the solution by letting root log in in some half arsed way, the user1 directory should be owned by user1, who should have a unique uid of at least 500, and a group to match or a "users" group.
Filezilla is stating:

Response: fzSftp started
Command: open "user1@10.20.30.178" 22
Command: Pass: *******
Status: Connected to 10.20.30.178
Status: Retrieving directory listing...
Command: pwd
Response: Current directory is: "/"
Command: ls
Status: Listing directory /
Error: Unable to open .: permission denied
Error: Connection timed out
Error: Failed to retrieve directory listing



Not really sure why tail -f /var/log/secure is stating uid=0:

Sep 19 07:13:49 sftp sshd[1987]: Accepted password for user1 from 10.20.30.172 port 57096 ssh2
Sep 19 07:13:49 sftp sshd[1987]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Sep 19 07:13:49 sftp sshd[1991]: subsystem request for sftp
Sep 19 07:14:09 sftp sshd[1987]: pam_unix(sshd:session): session closed for user user1

When:
[root@sftp ~]# id -u user1
500
 
Old 09-19-2012, 12:36 PM   #12
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
I chown the user 1 directory user1:user1 user1


Sep 19 07:21:12 sftp sshd[2035]: Accepted password for user1 from 10.20.30.172 port 57287 ssh2
Sep 19 07:21:12 sftp sshd[2035]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Sep 19 07:21:12 sftp sshd[2039]: fatal: bad ownership or modes for chroot directory "/home/sftpuser/user1"
Sep 19 07:21:12 sftp sshd[2035]: pam_unix(sshd:session): session closed for user user1

I guess I'll have to start digging into the internet / man pages more for permissions for this scenario.. couldnt find much before
 
Old 09-19-2012, 12:55 PM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
So what ARE the modes and ownership?
 
Old 09-19-2012, 01:04 PM   #14
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
[root@sftp user1]# ls -lishad /home/sftpuser/user1
1048581 4.0K drwxr-xr-x. 3 root sftponly 4.0K Sep 17 09:53 /home/sftpuser/user1

[root@sftp user1]# ls -lishad /home/sftpuser/user1/uploads
1048582 4.0K drwxr-xr-x. 2 user1 sftponly 4.0K Sep 17 09:53 /home/sftpuser/user1/uploads



ChrootDirectory /home/sftpuser/%u


I got the permissions I just adjusted from another fellows website who had an earlier version of Centos... figured i'd give it a shot
 
Old 09-19-2012, 01:55 PM   #15
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
Ok I think I may have gotten somewhere:



[root@X home]# chown root:root /home
[root@X home]# chmod 755 /home
[root@X home]# useradd user1
[root@X home]# usermod -g sftponly user1
[root@X home]# usermod -s /bin/false user1
[root@X home]# usermod -d /home/user1 user1
usermod: no changes
passwd: all authentication tokens updated successfully.
[root@X home]# chmod 755 /home/user1
[root@X home]# chown root:root /home/user1
[root@X home]# mkdir /home/user1/upload
[root@X home]# chown user1:sftponly /home/user1/upload


Match Group sftponly
ChrootDirectory /home/%u
AllowTCPForwarding no
ForceCommand internal-sftp

[root@X home]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]


however when I sftp from another box I get this:
sftp> lpwd
Local working directory: /root
This is confusing too.. it let me list the /root contents
sftp> lls
anaconda-ks.cfg install.log.syslog
IBM_Informix_Software_Bundle_InstallLog.log multicast-listener-v2

Then when I do this, I get this!:
sftp> ls -l
drwxr-xr-x 2 500 503 4096 Sep 19 13:26 upload
sftp>

Filezilla brings me right into the upload folder, which I cant upload a test.txt file to due to permissions error.. I can sort that out.. however whats with the sftp saying my local working directory is /root.. is that because its acutally /user1 but chroot? I'm not supposed to be able to list /roots contents though.. anyone have a better approach to this? I feel like im close.
 
  


Reply

Tags
centos, chroot jail, sftp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to setup SFTP chroot jail for some particular user. jeesun Linux - Security 1 08-09-2011 10:58 PM
Getting SFTP logs from a chroot jail beairstos Linux - Server 1 10-01-2009 08:20 AM
Chroot jail for sftp, Solaris 10, OpenSSH_5.1p1 saskak Solaris / OpenSolaris 1 12-14-2008 09:31 PM
sftp chroot jail, not able to find lib files drolic Linux - Security 3 11-23-2005 11:57 AM
chroot jail sftp users f1uke Linux - Security 1 07-28-2003 10:29 AM


All times are GMT -5. The time now is 07:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration