User can't use SFTP after chroot

Jeroen Beckers dauntless at dauntless.be
Mon Oct 1 08:30:22 EST 2012 

Hi,

I've posted this question on ServerFault, but no answer has been found
(http://serverfault.com/questions/431329/user-cant-sftp-after-chroot).
I have version 1:5.3p1-3ubuntu7

To sum up: I want to chroot the user sam. Things I have done:
- add user 'sam' to group 'users'
- added Subsystem sftp internal-sftp to /etc/ssh/sshd_config (at the bottom)
- added a Match :

--
Match group users
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
--

- changed permission of /home to be owned by root:root and not
writable by anyone else
- restarted ssh

When I try to sftp with sam, I get this:
--
$ sftp sam at localhost
Connecting to localhost...
sam at localhost's password:
Couldn't read packet: Connection reset by peer
--

If I remove sam from the users group, he can SFTP fine, but isn't chrooted.

Using -vvv, I get the following:

-----
sam at localhost's password:
debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1639
debug1: Authentication succeeded (password).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug3: Wrote 128 bytes for a total of 1767
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SSH_TTY
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env MAIL
debug3: Ignored env PATH
debug3: Ignored env PWD
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env LESSOPEN
debug3: Ignored env LESSCLOSE
debug3: Ignored env _
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: Wrote 64 bytes for a total of 1831
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: subsystem request accepted on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

debug3: channel 0: close_fds r -1 w -1 e 6 c -1
debug3: Wrote 32 bytes for a total of 1863
debug3: Wrote 64 bytes for a total of 1927
debug1: fd 0 clearing O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
Transferred: sent 1744, received 2008 bytes, in 0.0 seconds
Bytes per second: sent 627347.0, received 722312.4
debug1: Exit status 1
Couldn't read packet: Connection reset by peer
------

And if I change LogLevel to DEBUG2, I get this in /var/log/auth.log:

------
ct  1 00:28:27 163-73-23 sshd[17728]: Accepted password for sam from
127.0.0.1 port 36128 ssh2
Oct  1 00:28:27 163-73-23 sshd[17728]: debug1: monitor_child_preauth:
sam has been authenticated by privileged process
Oct  1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5
Oct  1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5
Oct  1 00:28:27 163-73-23 sshd[17731]: debug1: SELinux support disabled
Oct  1 00:28:27 163-73-23 sshd[17728]: User child is on pid 17731
Oct  1 00:28:27 163-73-23 sshd[17728]: debug1: do_cleanup
------

What is going wrong? What else can I give you to troubleshoot?

Thanks!

More information about the openssh-unix-dev mailing list