Re: Chrooted sftp setup accessible with psftp, but not sftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/7/22 Richard L Ross <rross@xxxxxxxxxx>:
> Your sshd_config is setup correctly, but "user" home directory in
> /etc/passwd is pointing to the chroot'ed directoy .. If you create a new
> home directory under /home/user/home and vi /etc/passwd to change the home
> directory to just "/home" it should work (Once ssh sets up the chrooted
> environment, it will cd to the home directory inside of the chroot) Make
> sure that "user" is the owner of /home/user/home and make sure you "vi"
> /etc/passwd to make the change to the home directory
>
> I usually setup additional directories under /home/$userid/home to have the
> user place their data .. then set the guid bit to have a admin type be able
> to retrieve the file
>
> This is the normal flow I would use:
>
> mkdir /home/$userid/home
> chown root:root /home/$userid
> chown $userid:$group-admin /home/$userid/home/
> vi /etc/passwd to change the home directory to /home and shell to /bin/false

Thanks for the hints, I'm on the right track.

Sadly your setup doesn't work perfectly: for one thing changing the
user's homedir to /home means that OpenSSH looks for the
authorized_keys file in /home/.ssh in the root filesystem! I suppose
this would be less of/not an issue if you used password auth, but I
can't.

What did work was this:
* Unchanged sshd_config
* User's home directory is /home/user (in /etc/passwd)
* chown root:root /home/user
* mkdir -p /home/user/usr/lib/openssh/
* cp /usr/lib/openssh/sftp-server /home/user/usr/lib/openssh/sftp-server

When you authenticate you appear chrooted in /home/user. The obvious
problem is that the user's homedir isn't writeable by them, so you
have to pre-populate subdirectories.

I'm still confused on several points though:
1. Why do I need to copy sftp-server into the chroot? The
sshd_config(5) entry for ChrootDirectory states: "For file transfer
sessions using ``sftp'', no additional configuration of the
environment is necessary if the in-process sftp server is used (see
Subsystem for details).".
1b. Are /usr/lib/openssh/sftp-server and internal-sftp different names
for the same thing?
2. Does the method I worked out above have any security issues?
3. Is there any way I can use ChrootDirectory with a user-writable
home directory?

Thanks,
AJ

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux