Sunday, March 29, 2020

Configure Chroot Jail SFTP Server


Configure Chroot Jail SFTP Server

Problem Statement: By using one of the article publish in the internet I have configured the SFTP server with the chrooted environment. The SFTP server is catering to several customers to upload their content and user’s home directories are shared.
When ever the users logged in, it will direct to their home folder but still the users can browse entire directory architecture. Even the users can change the directory location to /var directory and access the content there since it can be readable by any user.
Below depicts the sshd_config file configuration for SFTP server.

Subsystem sftp internal-sftp
Match group ftpaccess
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Solutions: I have referred several sites to find out proper solution to configure SFTP in a chroot jail environment. Below are the links which I used.


By referencing I have configured the sshd_config file in the below way.


Subsystem sftp /usr/libexec/openssh/sftp-server
Match user dave
ChrootDirectory /home/dave
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match user anne
ChrootDirectory /home/anne
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match user sam
ChrootDirectory /home/sam
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

But once I configured it there was issue with the login. When I checked the /var/log/secure there was an error stating the bad permission.
“fatal: bad ownership or modes for chroot directory "/home/dave" [postauth]

Since it was configured to used with the chroot, the folder should be owned by the root and it should have the 755 permission on it. Therefore I have run the below commands to set it.
chown root:root /home/dave
chmod 755 /home/dave
These permissions should not be change at any cost. If there is minor change in the permission it would again give you the bad permission error.
It has arised another issue that since the folder is not owned by the user who is going to do SFTP, the user can not perform any upload to folder location. I have tried with adding ACL, but then again bad permission error occurred. The only workaround which remain is to create a folder inside the shared folder and set the relevant permissions.
mkdir /home/dave/dave
chown dave:dave /home/dave/dave

with that everything has resolved and now users who are logged in through SFTP is restricted to their own home directory.
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)