LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page OpenSSH_5.1p1 Debian-5 Match User & ChrootDirectory doesn't chroot()!
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-27-2010, 01:22 PM   #1
lfitz
LQ Newbie
 
Registered: Jun 2010
Posts: 2

Rep: Reputation: 0
Question OpenSSH_5.1p1 Debian-5 Match User & ChrootDirectory doesn't chroot()!

Hello, I'll get right to the question I have:
Code:
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
with /etc/ssh/sshd_config configured as:
Code:
AcceptEnv LANG LC_*
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UsePAM yes

Subsystem sftp internal-sftp

Match User '!my_user' Group sftpusers
	ChrootDirectory /home/%u
	ForceCommand internal-sftp

Match Address local-ip User my_user
	ChrootDirectory None
	X11Forwarding yes
	AllowTcpForwarding yes
	ForceCommand /bin/bash

Match User my_user
	ForceCommand /bin/bash
	X11Forwarding yes
	AllowTcpForwarding yes
	ChrootDirectory None
I have tried:
Code:
Match User '!my_user' Group sftpusers
        ForceCommand internal-sftp
        ChrootDirectory %h
and I still can access folders above the home directory, when I log in from my mobile (AndFTP 1.6 for Android) or from FileZilla on the local network.

Here is the permissions and owners:groups of the folders I am using.

user: johndoe
group: sftpusers
mount home: /home/johndoe
actual home: /srv/ftproot/users/johndoe

mounted with:
Code:
mount --bind /srv/ftproot/users/johndoe /home/johndoe
Code:
ls -l /srv/ftproot/users
outputs:
Code:
drwxr-xr-x 2 johndoe sftpusers 4096 2010-06-27 10:30 johndoe
So basically, I have a group 'sftpusers' and user 'johndoe' which should match against a conditional Match User / Group statement in sshd_config. I restart /etc/init.d/ssh restart each time I modify the config, however, I am still able to access parent directories.

I can post more info, if requested, this is all I can think of as necessary.

Heres a link to sshd_config manpage: http://www.manpagez.com/man/5/sshd_config/ for those who want to read more.

In short... ChrootDirectory /home/%u nor ChrootDirectory %h will not chroot() to the home directory!
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SFTP ChrootDirectory help 4play Linux - Server 4 09-19-2009 01:02 AM
Chroot jail for sftp, Solaris 10, OpenSSH_5.1p1 saskak Solaris / OpenSolaris 1 12-14-2008 09:31 PM
How To Match U p User <-> HTTP Processes jonwatson Linux - Security 5 08-29-2007 08:53 PM
sudo /usr/bin/chroot /home/chroot /bin/su - xxx| /bin/su: user xxx does not exist saavik Linux - General 3 07-04-2007 10:30 AM
HELP!! no match for `_IO_ostream_withassign & >> char[36 azucarmom Programming 7 03-10-2005 11:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:12 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration