User can't use SFTP after chroot
Jeroen Beckers
dauntless at dauntless.be
Mon Oct 1 21:33:21 EST 2012
No, it's owned by root:root and not writable for anyone else:
$ ls -la /home
drwxr-xr-x 10 root root 4096 Sep 30 18:03 .
drwxr-xr-x 22 root root 4096 Sep 23 16:10 ..
drwxr-xr-x 11 root root 4096 Sep 23 16:12 sam
On Mon, Oct 1, 2012 at 2:25 AM, Bostjan Skufca <bostjan at a2o.si> wrote:
> Do you chroot to a directory which is writtable by non-root? Or any of it's
> parents all the way up to the root (/)? If so, chroot (and connection) will
> fail.
>
> b.
>
>
>
> On 1 October 2012 00:30, Jeroen Beckers <dauntless at dauntless.be> wrote:
>
>> Hi,
>>
>> I've posted this question on ServerFault, but no answer has been found
>> (http://serverfault.com/questions/431329/user-cant-sftp-after-chroot).
>> I have version 1:5.3p1-3ubuntu7
>>
>> To sum up: I want to chroot the user sam. Things I have done:
>> - add user 'sam' to group 'users'
>> - added Subsystem sftp internal-sftp to /etc/ssh/sshd_config (at the
>> bottom)
>> - added a Match :
>>
>> --
>> Match group users
>> ChrootDirectory %h
>> ForceCommand internal-sftp
>> AllowTcpForwarding no
>> --
>>
>> - changed permission of /home to be owned by root:root and not
>> writable by anyone else
>> - restarted ssh
>>
>> When I try to sftp with sam, I get this:
>> --
>> $ sftp sam at localhost
>> Connecting to localhost...
>> sam at localhost's password:
>> Couldn't read packet: Connection reset by peer
>> --
>>
>> If I remove sam from the users group, he can SFTP fine, but isn't chrooted.
>>
>> Using -vvv, I get the following:
>>
>> -----
>> sam at localhost's password:
>> debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64)
>> debug2: we sent a password packet, wait for reply
>> debug3: Wrote 144 bytes for a total of 1639
>> debug1: Authentication succeeded (password).
>> debug2: fd 4 setting O_NONBLOCK
>> debug3: fd 5 is O_NONBLOCK
>> debug1: channel 0: new [client-session]
>> debug3: ssh_session2_open: channel_new: 0
>> debug2: channel 0: send open
>> debug1: Requesting no-more-sessions at openssh.com
>> debug1: Entering interactive session.
>> debug3: Wrote 128 bytes for a total of 1767
>> debug2: callback start
>> debug2: client_session2_setup: id 0
>> debug1: Sending environment.
>> debug3: Ignored env TERM
>> debug3: Ignored env SHELL
>> debug3: Ignored env SSH_CLIENT
>> debug3: Ignored env SSH_TTY
>> debug3: Ignored env USER
>> debug3: Ignored env LS_COLORS
>> debug3: Ignored env MAIL
>> debug3: Ignored env PATH
>> debug3: Ignored env PWD
>> debug3: Ignored env SHLVL
>> debug3: Ignored env HOME
>> debug3: Ignored env LOGNAME
>> debug3: Ignored env SSH_CONNECTION
>> debug3: Ignored env LESSOPEN
>> debug3: Ignored env LESSCLOSE
>> debug3: Ignored env _
>> debug1: Sending subsystem: sftp
>> debug2: channel 0: request subsystem confirm 1
>> debug2: fd 3 setting TCP_NODELAY
>> debug2: callback done
>> debug2: channel 0: open confirm rwindow 0 rmax 32768
>> debug3: Wrote 64 bytes for a total of 1831
>> debug2: channel 0: rcvd adjust 2097152
>> debug2: channel_input_status_confirm: type 99 id 0
>> debug2: subsystem request accepted on channel 0
>> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
>> debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0
>> debug2: channel 0: rcvd eow
>> debug2: channel 0: close_read
>> debug2: channel 0: input open -> closed
>> debug2: channel 0: rcvd eof
>> debug2: channel 0: output open -> drain
>> debug2: channel 0: obuf empty
>> debug2: channel 0: close_write
>> debug2: channel 0: output drain -> closed
>> debug2: channel 0: rcvd close
>> debug3: channel 0: will not send data after close
>> debug2: channel 0: almost dead
>> debug2: channel 0: gc: notify user
>> debug2: channel 0: gc: user detached
>> debug2: channel 0: send close
>> debug2: channel 0: is dead
>> debug2: channel 0: garbage collecting
>> debug1: channel 0: free: client-session, nchannels 1
>> debug3: channel 0: status: The following connections are open:
>> #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)
>>
>> debug3: channel 0: close_fds r -1 w -1 e 6 c -1
>> debug3: Wrote 32 bytes for a total of 1863
>> debug3: Wrote 64 bytes for a total of 1927
>> debug1: fd 0 clearing O_NONBLOCK
>> debug3: fd 1 is not O_NONBLOCK
>> Transferred: sent 1744, received 2008 bytes, in 0.0 seconds
>> Bytes per second: sent 627347.0, received 722312.4
>> debug1: Exit status 1
>> Couldn't read packet: Connection reset by peer
>> ------
>>
>> And if I change LogLevel to DEBUG2, I get this in /var/log/auth.log:
>>
>> ------
>> ct 1 00:28:27 163-73-23 sshd[17728]: Accepted password for sam from
>> 127.0.0.1 port 36128 ssh2
>> Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: monitor_child_preauth:
>> sam has been authenticated by privileged process
>> Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5
>> Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5
>> Oct 1 00:28:27 163-73-23 sshd[17731]: debug1: SELinux support disabled
>> Oct 1 00:28:27 163-73-23 sshd[17728]: User child is on pid 17731
>> Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: do_cleanup
>> ------
>>
>> What is going wrong? What else can I give you to troubleshoot?
>>
>> Thanks!
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list