I have compiled and installed Openssh 5.3 on my centos 5.3 server following these instructions:
http://binblog.info/2009/02/27/packa...ssh-on-centos/
However I CAN NOT seem to get ChrootDirectory to work properly
I followed the directions I found here:
http://www.debian-administration.org/articles/590
I can connect via SFTP but once connected I can't do anything:
computer:~ user$ sftp test2@172.16.16.121
Connecting to 172.16.16.121...
test2@172.16.16.121's password:
sftp> ls
Couldn't get handle: Permission denied
sftp> cd download
Couldn't canonicalise: Permission denied
sftp> put test.txt
Uploading test.txt to /test.txt
Couldn't get handle: Permission denied
Here are my users settings:
[root@sftp ~]# more /etc/passwd |grep test2
test2:x:504:502::/:/bin/bash
[root@sftp ~]# more /etc/group |grep test2
sftponly:x:502:integra_prod,test2
Here are my settings in /etc/ssh/sshd_config:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL1 -l INFO
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /chroot/disk2/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Here are the permissions of the folder
drwx------ 3 root root 4096 Jan 6 04:14 chroot
drwx------ 5 root root 4096 Jan 6 11:08 disk2
drwx------ 3 root root 4096 Jan 6 11:11 test2
Now I have found that people saying it is a permission issues as root has to own the folder.
So I created a folder 'download' gave test2.sftponly 770 permission to the folder,
[root@sftp]# ls -la /chroot/disk2/test2/
total 12
drwxr-x--- 3 root root 4096 Jan 6 15:44 .
drwxr-x--- 5 root root 4096 Jan 6 11:08 ..
drwxrwx--- 2 test2 sftponly 4096 Jan 6 11:49 download
Changed the user profile to used the /download directory:
test2:x:504:502::/download:/bin/bash
Restarted sshd for good measure but it still doesn't work:
sftp> ls
Couldn't get handle: Permission denied
sftp> pwd
Remote working directory: /
sftp> cd download
Couldn't canonicalise: Permission denied
It didn't go to the home directory? So I change the user home to:
[root@sftp_prod_01 test2]# more /etc/passwd|grep test2
test2:x:504:502::/chroot/disk2/test2/download:/bin/bash
Restarted sshd for good measure and it still doesn't work:
sftp> pwd
Remote working directory: /
sftp> ls
Couldn't get handle: Permission denied
sftp> cd download
Couldn't canonicalise: Permission denied
It still doesn't go to the download directory? I don't know how to proceed in troubleshooting this at this point.
Any Ideas?
Here is some additional information in case it helps.
Selinux is disabled:
[root@sftp]# ls -la /selinux/
total 16
drwxr-xr-x 2 root root 4096 Jan 5 06:34 .
drwxr-xr-x 26 root root 4096 Jan 6 10:32 ..
If it is any help here are what is says in my /var/log/secure:
Jan 7 09:40:10 sftp sshd[15807]: Server listening on :: port 22.
Jan 7 09:40:10 sftp sshd[15807]: Server listening on 0.0.0.0 port 22.
Jan 7 09:40:15 sftp sshd[15604]: pam_unix(sshd:session): session closed for user test2
Jan 7 09:40:18 sftp sshd[15824]: Accepted password for test2 from 192.168.1.212 port 60889 ssh2
Jan 7 09:40:18 sftp sshd[15824]: pam_unix(sshd:session): session opened for user test2 by (uid=0)
Jan 7 09:40:18 sftp sshd[15826]: subsystem request for sftp
Jan 7 09:41:13 sftp sshd[15824]: pam_unix(sshd:session): session closed for user test2
And just so you have all the information, if I connect as a user I don't want chroot'd and is not in the sftponly group it works fine:
brit@linuxdevel:~> sftp brit@172.16.16.121
Connecting to 172.16.16.121...
brit@172.16.16.121's password:
sftp> ls
Desktop
sftp> pwd
Remote working directory: /home/brit
sftp> put test.txt
Uploading test.txt to /home/brittonv/test.txt
test.txt