All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need some help chrooting SFTP-only user access
I need to give access to a folder to a user who needs to work with Wordpress sites over SFTP.
What I would like to do is to make sure that:
He cannot run SSH, just SFTP
He cannot see anything from the filesystem other than /home/userdir
From what I read this is exactly chrooting, however I have a few problems setting it up. I am on Debian 6 with Dropbear as SSH daemon.
A few questions:
\1. Originally my sftp subsystem was set up like this in /etc/ssh/sshd_config:
Subsystem sftp /usr/lib/openssh/sftp-server -u 0007
now in most tutorials it says that I have to change it to:
Subsystem sftp internal-sftp
Is this correct? Doesn't internal-sftp mean dropbear in my case? Should I change to openssh for chrooted SFTP accounts?
\2. Some tutorials ask to disable the user's shell with usermod -s /bin/false someuser
. However when I do this, it disables SFTP as well. Is this normal?
\3. Finally tutorials usually note the following lines in the sshd_conf for the actual chrooting, or something similar:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
However this had no effect for me. Is this because I'm using Dropbear?
Can someone tell me which are the proper steps to restrict to SFTP-only + home directory only access on Debian 6?
Comments
For SSH :
Like you thought.
3.
I have yet to find a way of properly chrooting SFTP with Dropbear so I'm starting to believe it is not possible at the moment.
ad 2) Yes, setting the user's shell to /bin/false disables SFTP as well. You should use (and trust) the ForceCommand directive which will disallow any interactive SSH session. Or, to add an extra layer of security, you can use something like sftpsh (adjust SFTP_BINARY path, compile, add to /etc/shells and set as the user's shell).
Setting the shell to
works fine too
and you can probably assign /dev/nologin too as you're forcing sftp anyway
Thanks a lot for the tips.
1. With Dropbear many of the variables had no effect, so I purged dropbear, purged openssh-server and reinstalled openssh-server. Now at least all commands have a clear effect.
2. I like the
usermod -a -G sftp testuser
kind of adding users to a sftp-only group. This concept is clear to me.3. With the help from here, and also from the git version of minstall, I made this config file:
However, the problem is that this was I cannot log in even with sftp.
Here is what I get with SFTP:
And what I get with SSH:
Why does it happen? Am I missing some packages?
Change the subsystem sftp to:
Subsystem sftp internal-sftp
You can see the manual here: www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
The sections of interest are ChrootDirectory and ForceCommand.
I changed it to
Subsystem sftp internal-sftp
, but there is no difference.I just simply get
Write failed: Broken pipe
This is my config now:
And /sftp is set up by
chown root:sftp /sftp
What else can be the problem?
As @Frost mentioned, you don't need to alter the
Subsystem
line.Not sure why it it's not working for you.
chmod 755 /sftp
If that fails...
sftp
group to a different name, to avoid naming conflicts.I changed the group, as well as Subsystem but still no luck.
Now I have sftpusers,
chown root:sftpusers /sftp
andchmod 755 /sftp
and still get this connection closed.Also in /var/log/auth.log everything seems fine.
Strange.
I don't know if this is actually true, but apparently password authentication needs to be enabled for sftp to work ?
Also, compare between cli client and the gui client gftp set to
SSH2
, to be double sure.Otherwise, clueless.
It must be something within the match group, since with root I can easily SFTP in. What do you mean "password authentication needs to be enabled"? I am trying to log in using password, not SSH keys. Is there anything with UsePAM or ChallengeResponseAuthentication which might be bad?
If you comment out the
ChrootDirectory
line can you get in?The same,
As ChrootDirectory is not the problem, I would suggest adding a new user and testing at each step, to see where things go wrong. If a non-root user can't get in at all, you may want to revert to the default configuration for OpenSSH.
You can enabled sshd debugging by running the daemon with -d on a new port and connecting to that instead. For example
/usr/sbin/sshd -d -p 2233
try installing jailkit http://olivier.sessink.nl/jailkit/jailkit.8.html
that's the problem. I use that config with wordpress too, but you need to use proper sshd first.
about >He cannot see anything from the filesystem other than /home/userdir
don't forget to set your php security with
[HOST=www.yourusersite.com]
open_basedir="/home/your-user/www.yourusersite.com"
and verify that /home/your-user/ is owned by root and chmod 755 and don't forget to set the sticky bit, if you still want wordpress editor to be able to modify template files etc.
so basically you need to:
What about rssh?
@colm, thanks a lot for the debug line. Here is what's been logged after connection. I have no idea what is wrong, everything seems OK to me!
I think the bad part is somewhere along:
Why does it send a SIGCHLD?
Well imho I would prefer ftps (ftp with SSL) to sftp as for such need. But that config also takes a lot of pain.
@zsero why don't you just do what i said? That config works. Did you verify the user root directory ownership and permissions?