[GUIDE] SFTP Selective remote folder access to certain users

subzero79 · 4. November 2015

This a thread for questions and answers for this guide

SlashOpt · 4. November 2015

Hi subzero79,

thanks for the guide, very interesting!

One remark: in the section "is important that this two folders are owned by root and no one else has write access" line 1 should read "chown root:root /sftp/{user1,user2}", shouldn't it?

Regards

subzero79 · 4. November 2015

Yes, that's correct. Thanks for noticing that. I just edited

gderf · 10. Januar 2016

Does this still work? I have been using a similar setup for quite some time on OMV and it stopped working recently. It throws this error when logging in:

Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

I have double checked the ownership and permissions on the folders.

subzero79 · 10. Januar 2016

Could be a permission/ownership issue in the chroot.
Try to get the client more verbose -vvvv

gderf · 10. Januar 2016

Code

fred@omv:~$ sftp -vvv hork@localhost
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/fred/.ssh/id_rsa type -1
debug1: identity file /home/fred/.ssh/id_rsa-cert type -1
debug1: identity file /home/fred/.ssh/id_dsa type -1
debug1: identity file /home/fred/.ssh/id_dsa-cert type -1
debug1: identity file /home/fred/.ssh/id_ecdsa type -1
debug1: identity file /home/fred/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "localhost" from file "/home/fred/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/fred/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email=ssh-rsa-cert-v01@openssh.com]ssh-rsa-cert-v01@openssh.com[/email],ssh-[email=rsa-cert-v00@openssh.com]rsa-cert-v00@openssh.com[/email],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email=ssh-rsa-cert-v01@openssh.com]ssh-rsa-cert-v01@openssh.com[/email],ssh-[email=rsa-cert-v00@openssh.com]rsa-cert-v00@openssh.com[/email],ssh-rsa,ecdsa-[email=sha2-nistp256-cert-v01@openssh.com]sha2-nistp256-cert-v01@openssh.com[/email],ecdsa-[email=sha2-nistp384-cert-v01@openssh.com]sha2-nistp384-cert-v01@openssh.com[/email],ecdsa-[email=sha2-nistp521-cert-v01@openssh.com]sha2-nistp521-cert-v01@openssh.com[/email],ssh-[email=dss-cert-v01@openssh.com]dss-cert-v01@openssh.com[/email],ssh-[email=dss-cert-v00@openssh.com]dss-cert-v00@openssh.com[/email],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-[email=cbc@lysator.liu.se]cbc@lysator.liu.se[/email]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-[email=cbc@lysator.liu.se]cbc@lysator.liu.se[/email]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-[email=64@openssh.com]64@openssh.com[/email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-[email=ripemd160@openssh.com]ripemd160@openssh.com[/email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-[email=64@openssh.com]64@openssh.com[/email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-[email=ripemd160@openssh.com]ripemd160@openssh.com[/email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-[email=cbc@lysator.liu.se]cbc@lysator.liu.se[/email]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-[email=cbc@lysator.liu.se]cbc@lysator.liu.se[/email]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-[email=64@openssh.com]64@openssh.com[/email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-[email=ripemd160@openssh.com]ripemd160@openssh.com[/email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-[email=64@openssh.com]64@openssh.com[/email],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-[email=ripemd160@openssh.com]ripemd160@openssh.com[/email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 54:24:ee:e1:85:1f:48:bc:5e:1f:3f:f1:91:1d:b8:b4
debug3: load_hostkeys: loading entries for host "localhost" from file "/home/fred/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/fred/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/fred/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/fred/.ssh/id_rsa ((nil))
debug2: key: /home/fred/.ssh/id_dsa ((nil))
debug2: key: /home/fred/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/fred/.ssh/id_rsa
debug3: no such identity: /home/fred/.ssh/id_rsa
debug1: Trying private key: /home/fred/.ssh/id_dsa
debug3: no such identity: /home/fred/.ssh/id_dsa
debug1: Trying private key: /home/fred/.ssh/id_ecdsa
debug3: no such identity: /home/fred/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
hork@localhost's password: 
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to localhost ([127.0.0.1]:22).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email=no-more-sessions@openssh.com]no-more-sessions@openssh.com[/email]
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
fred@omv:~$

Alles anzeigen

subzero79 · 10. Januar 2016

Then check permissions in the chroot and make sure users are in group you've defined for the chroot.

gderf · 11. Januar 2016

Permissions, ownerships, and all that are correct. I didn't change anything here. The last time it worked (and was logged) was Dec 26, 2015. There may have been some updates since then, but I don't track them.

I'll do a quick fresh install to spare media and try to get this working there, the do any updates and see if it breaks.

subzero79 · 11. Januar 2016

Well i don't know then, could be that you did not disable sftp-server via env vars, you edited manually sshd_config.

Go through the guide again check your sshd_config

gderf · 11. Januar 2016

It's correct, as I said I made no changes.

I have installed fresh to spare media on another box and configured the absolute minimum needed to chroot that user and it works. The sshd_config files are identical. Something else is broken. SFTP works, but not if chroot'd.

subzero79 · 11. Januar 2016

well the error is typical from chroot environments, bad ownership/permission.
Post here the chroot with tree /sftp -L 2 -dupg

gderf · 11. Januar 2016

root@omv:~# tree /sftp -L 2 -dupg
/sftp
`-- [drwxr-xr-x root root ] hork

1 directory
root@omv:~#

subzero79 · 11. Januar 2016

Could you check that the user is not in ssh and sftp-users groups at the same time, in case you set them up that way. No idea if that could cause issues.
Also is just pwd login, pka or both?

gderf · 11. Januar 2016

As I said in my OP, I used other methods to set this up on this box and on all my debian machines. More streamlined and can be done entirely from CLI. On this box it has been working fine since the original install last June.

This user belongs to a group with the same name as the username. In sshd_config I have:

AllowGroups (blank)

This lets anyone use ssh without restriction by group or username.

pwd login only

gderf · 11. Januar 2016

Typo in Guide:

This line:

Run service openmediavault-engined restart && omv-mkconf ssh && service restart ssh

Should be:

Run service openmediavault-engined restart && omv-mkconf ssh && service ssh restart

WastlJ · 11. Januar 2016

Thanks @gderf - I´ve fixed it!

subzero79 · 11. Januar 2016

An the server logs? Anything there that can show some insight?

gderf · 11. Januar 2016

Jan 11 16:17:24 omv sshd[10555]: Accepted password for hork from 127.0.0.1 port 35299 ssh2
Jan 11 16:17:24 omv sshd[10555]: pam_unix(sshd:session): session opened for user hork by (uid=0)
Jan 11 16:17:24 omv sshd[10558]: fatal: bad ownership or modes for chroot directory component "/"
Jan 11 16:17:24 omv sshd[10555]: pam_unix(sshd:session): session closed for user hork

The ownership and permissions are correct:

/home is owned by root:root and chmod 0755
/home/hork is owned by root:root and chmod 0755

BUT..........what fixed it was:

root@omv:~# chmod 0755 /

How did that get changed away from correct?

Thanks for your time.

subzero79 · 12. Januar 2016

From the man:

Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

So it has to include /
I'll add a note to the guide.

gderf · 12. Januar 2016

I was aware of the permissions and ownership requirements, but only considered them for the directories that are created as part of this process.

It never occurred to me that / was somehow changed away from what worked last week to what broke this week. This raises two questions:

How does one view the permissions and ownership of / ?

What happened to my OMV to cause the permissions on / to change?

All I did to fix this was to chmod 0755 /

Jetzt mitmachen!