sftp session disconnects right after passwd enter

Nico Kadel-Garcia nkadel at gmail.com
Tue Jun 3 11:40:16 EST 2014


On Mon, Jun 2, 2014 at 7:17 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 2 Jun 2014, Nico Kadel-Garcia wrote:
>
>> Unfortunately, I also find the restrictions for SFTP to be burdensome.
>> To set up multiple chroot cages for multiple users, one has to either
>> make user specific sshd_config settings
>
> that's incorrect
>
> mkdir -p /chroot/user_a/sftp /chroot/user_b/sftp
> chown user_a /chroot/user_a/sftp ; chown user_b /chroot/user_b/sftp
>
> and in sshd_config:
>
> ChrootDirectory /chroot/%u
> Subsystem sftp internal-sftp -d /sftp

Interesting, but But it's certainly not in any of the documentation in
the default OpenSSH for RHEL 6 or CentOS 6 which is still at OpenSSH
5.3p1. And it doesn't seem to work on that version. Building and
maintaining a backported OpenSSH system is a lot of work. I've done it
repeatedly, since my first work with SSH version 1 in 1996, and I
don't recommend it for the faint of heart or those without compelling
needs.

I'm also afraid that your command line arguments are vulnerable to
problems with individually set local 'umask' settings. I'd instead be
sure to set the permissions as clearly as possible. Using the Gnu
coreutils based "install" command, I would use:



              id -u user_a && id -g user_a && \
                 install -d /chroot/user_a -m 0755 -o root -g root && \
                 install -d /chroot/user_a/sftp -m 0700 -o user_a -g user_a

              id -u user_b && id -g user_b && \
                  install -d /chroot/user_b -m 0755 -o root -g root && \
                  install -d /chroot/user_b/sftp -m 0700 -o user_b -g user_b

And if scripting it, I'd make it report error conditions more
intelligently. I actually just went through tis with a test SFTP
server.

I'll look forward to a more recent version of OpenSSH that has the
"-d" option for the "Subsystem sftp internal-sftp" settings.


More information about the openssh-unix-dev mailing list