Can I use SFTP with Chroot on ssh?

Hi hi! I'd like to talk a bit more about this. I would very much like to get sftp configured without the users being able to browse outside of their folders (Owncloud is a super-slow pain in my butt, I need remote access, and VPN was a blazing ball of fail) -- but whatever I try, it just ends up in Write Failed: Broken Pipe, or being outright refused.

I can connect just fine using just the ssh group, but if I can't have owncloud, I want some semblance of pretty in my folder structure. A little minimalism!

I've tried a few guides for chrooting -- all of which say the same thing, really (specialized group, permissions to root:root for all preceding folders (user included), alter the sshd_config) -- and even tried the bit the OP added (-u 002) -- but no love. My permissions appear to be correct all the way to the user folder, and.. well... I've got nothin'.

Ideas?

EDIT: There was a conversation related to this from back in 2012. In it, @tekkbebe called out another post in a link -- but that is still 404-ing since the forum move. Maybe the answers are in the mysterious missing link? And yes I do realize what I just said there.

I will send you my Guide this evening. If I haven't send it about 9 hours from now, PM me with a reminder.

Greetings
David

Zitat von chilyn

There was a conversation related to this from back in 2012. In it, @tekkbebe called out another post in a link -- but that is still 404-ing since the forum move.

It links to this thread, which is about the ftp server only.
@davidh2k I'd be interested in your guide aswell

FYI: If you encounter a 404-error due to an old link, you can replace forums.openmediavault with phpbb.openmediavault and it should work

I'm at work rigt now but I can tell you that I got it up and running on a Debian Wheezy system in under an hour.

Greetings
David

Thanks for the tip @T-A-Z. And as always, thanks for being awesome @davidh2k! I await your guide.

I'm at home now and busy with some things but I will take care of it this evening... just need to crawl through my history to get it all backtogether.

Greetings
David

Create the user you want to use:

adduser sftpuser

Deny shell access

usermod -s /bin/nologin

(I expect you use /home/sftpuser as the base for this user) the FULL PATH to the dir has to be owned by root:root, even /home

chown root:root /home
chmod 755 /home
chown root:root /home/sftpuser
chmod 755 /home/sftpuser

The user can't write to /home/sftpuser directly, therefore you need to go one dir deeper...

mkdir /home/sftpuser/upload
chown sftpuser:sftpuser /home/sftpuser/upload

edit /etc/ssh/sshd_config

Change

Subsystem sftp /usr/lib/openssh/sftp-server

to

Subsystem sftp internal-sftp

Add at the end:

Match User sftp
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no

Restart ssh

service ssh restart

Finished.

Remember that you can only access to this user via sftp, scp does not work!

Greetings
David

PS: If you want to do this with multiple users you need to either specify them in the sshd_config or switch to 'Match Group xxx' instead.

Edit: Maybe OpenMediaVault still overrides this, not sure if it does, but it should at least work until the config is overwritten.

Thanks for that!

That is almost exactly what I did. The only major differences is that I used the Match Group setting and my path was through /media/uuid/Userhome/user/upload.

Also, the upload folder ended up being owned by sftpuser:user (from OMV?).

EDIT - Notes:
- I get permission denied unless I include the user in the ssh group as well
- With the ssh group included I get Broken Pipe

Oh, pardon. For OpenMediaVault it needs to be in SSH group ofc.

How do you try to upload something? Where do you get broken pipe?

Greetings
David

I get broken pipe in terminal if I use sftp user@ip.ad.dd.ress. If I use a client on my iPad I just get a connection error "cannot authenticate this server". Password is fine in all cases, as is user name.

Do you mean SSH group should be the group added to sshd_config, or it has to be added to the user as well as the custom group for sftponly? I tried both, and get the same result.

I just wrote a bit more in the devforum about it... so give a 20 min break After that, do you want us to go over all steps again via Teamviewer? I have it running on my root server (not my NAS), but it can't be so hard to figure out where its hangs on your system, as you use wheezy already too.

Greetings
David

Sure. Sounds great!

chilyn, check your conversations.

Greetings
David

Thanks again @davidh2k, for the Teamviewer help! I'm good to go.

You guys rock!

Anyone else having this issue:

Make sure your directory structure preceding your upload folder is root:root but also chmod to 755. Even if it looks like it already is.

Also, because OMV will rewrite the configuration to default on restart (they are discussing a fix for this) you need to set up backup copy of your sshd_conf and add a script in the chron area of OMV GUI to make sure you don't have to hand code it every single reboot.

cd /etc/ssh/ && cp sshd_config_sftp sshd_config && service ssh restart

Cheers!

Zitat von chilyn

Thanks again davidh2k, for the Teamviewer help! I'm good to go.

You're welcome.

Zitat von chilyn

You guys rock!

Thank you.

Zitat von chilyn

Also, because OMV will rewrite the configuration to default on restart (they are discussing a fix for this) you need to set up backup copy of your sshd_conf and add a script in the chron area of OMV GUI to make sure you don't have to hand code it every single reboot.

We'll look into 'fixing' that.

Greetings
David

The first I apologize for my bad English.
This topic is very interesting and I would like to know how to get umask 0007.

The following code does not work.

Subsystem sftp /usr/lib/openssh/sftp-server -u 007

I tried this but it does not work

Match group deluge
        ChrootDirectory /media/01f74734-b21b-4cf7-b712-899f6cbaab84/usuarios/deluge
        ForceCommand internal-sftp -u 007
        X11Forwarding no
        AllowTcpForwarding no

Thank you .