2009/7/22 Richard L Ross <rross@xxxxxxxxxx>: > Your sshd_config is setup correctly, but "user" home directory in > /etc/passwd is pointing to the chroot'ed directoy .. If you create a new > home directory under /home/user/home and vi /etc/passwd to change the home > directory to just "/home" it should work (Once ssh sets up the chrooted > environment, it will cd to the home directory inside of the chroot) Make > sure that "user" is the owner of /home/user/home and make sure you "vi" > /etc/passwd to make the change to the home directory > > I usually setup additional directories under /home/$userid/home to have the > user place their data .. then set the guid bit to have a admin type be able > to retrieve the file > > This is the normal flow I would use: > > mkdir /home/$userid/home > chown root:root /home/$userid > chown $userid:$group-admin /home/$userid/home/ > vi /etc/passwd to change the home directory to /home and shell to /bin/false Thanks for the hints, I'm on the right track. Sadly your setup doesn't work perfectly: for one thing changing the user's homedir to /home means that OpenSSH looks for the authorized_keys file in /home/.ssh in the root filesystem! I suppose this would be less of/not an issue if you used password auth, but I can't. What did work was this: * Unchanged sshd_config * User's home directory is /home/user (in /etc/passwd) * chown root:root /home/user * mkdir -p /home/user/usr/lib/openssh/ * cp /usr/lib/openssh/sftp-server /home/user/usr/lib/openssh/sftp-server When you authenticate you appear chrooted in /home/user. The obvious problem is that the user's homedir isn't writeable by them, so you have to pre-populate subdirectories. I'm still confused on several points though: 1. Why do I need to copy sftp-server into the chroot? The sshd_config(5) entry for ChrootDirectory states: "For file transfer sessions using ``sftp'', no additional configuration of the environment is necessary if the in-process sftp server is used (see Subsystem for details).". 1b. Are /usr/lib/openssh/sftp-server and internal-sftp different names for the same thing? 2. Does the method I worked out above have any security issues? 3. Is there any way I can use ChrootDirectory with a user-writable home directory? Thanks, AJ
