How to set up a SFTP server with users chrooted in their home directories?

Nitin Venkatesh
9 years ago
I have been trying to set up a SFTP server with multiple users chrooting into their home directories. I followed the advice on this guide (Archive.org link) and then executed the following commands on the user's directories
chown root:root /home/user/ chmod 755 /home/user/
There is an additional folder in every user's home directory called public, which is owned by its user so as to allow them to create directories and upload and remove files as needed. (This was advised in the guide I mentioned earlier)
Now when I execute sftp -P 435 [email protected], I get this error:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
How do I proceed from here? The ultimate idea is to have each user on some other machine use FileZilla to log into their chrooted home directories and then be able to upload directories and files. All this in SFTP (because it's more secure)
24 Points 2 Comments Share
ash 5 years ago
The link provided is broken are you able to update this?
Nitin Venkatesh 5 years ago
@ash : Updated with the Archive.org link
Lekensteyn Turn off AdBlock to see the correct answer
9 years ago
That article also describes how to get a chrooted shell access, but since you just want a sftp-only account, just follow these instructions: Edit /etc/ssh/sshd_config and add the lines: SubSystem sftp internal-sftp Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no Find the line UsePAM yes and comment it: #UsePAM yes Without disabling this, my SSH server would crash on reloading/ restarting ..

This site survives thanks to advertising. Disable AdBlock to see the whole correct answer at no cost!
We promise you will not find boring advertisements. Find out how to disable Adblock by clicking on this link.
Remember to update the page once you have disabled it.
28 Points 4 Comments
Max Masnick 8 years ago
The directions here did not work for me, but following the directions in this question and the answer did: http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes/134442#134442
Lekensteyn 6 years ago
To the anonymous editor: the Match block was not added just before the *UsePAM* line. Instead, the Match block was appended to the file and the UsePAM line was somewhere earlier.
Peter Lozovitskiy 5 years ago
Make sure 'UseLogin yes' option presents in sshd_config file.
Simon Woodside 3 years ago
You need to close the `Match Group` block by putting `Match all` after `AllowTcpForwarding no`. Then you won't need to comment out `UsePAM` and any lines that occur later.
Lekensteyn Correct answer
9 years ago
That article also describes how to get a chrooted shell access, but since you just want a sftp-only account, just follow these instructions:
Edit /etc/ssh/sshd_config and add the lines:
SubSystem sftp internal-sftp Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
Find the line UsePAM yes and comment it:
#UsePAM yes
Without disabling this, my SSH server would crash on reloading/ restarting. Since I do not need fancy functions of PAM, this is fine.
For extra security, restrict the users who can login. If you forget to add SFTP users to the sftp group, you give them free shell access. Not a nice scenario. Because SSH cannot combine AllowUsers and AllowGroups (a login has to fulfill both rules), you've to create an additional group, say ssh-users. Add the users who are allowed to login (youruser below) over SSH:
sudo groupadd ssh-users sudo gpasswd -a youruser ssh-users
And add the next line to /etc/ssh/sshd_config:
AllowGroups ssh-users sftp
Now proceed with modifying the permissions of the users home directory to allow for chrooting (example user sftp-user):
sudo chown root:sftp-user /home/sftp-user sudo chmod 750 /home/sftp-user
Create a directory in which sftp-user is free to put any files in it:
sudo mkdir /home/sftp-user/public sudo chown sftp-user: /home/sftp-user/public sudo chmod 750 /home/sftp-user/public
Should you run in any problems, check /var/log/syslog and /var/log/auth.log for details. Run ssh or sftp with the -vvv option for debugging messages. For sftp, the option must appear before the host as in sftp -vvv [email protected].
28 Points 4 Comments Share Donate
Max Masnick 8 years ago
The directions here did not work for me, but following the directions in this question and the answer did: http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes/134442#134442
Lekensteyn 6 years ago
To the anonymous editor: the Match block was not added just before the *UsePAM* line. Instead, the Match block was appended to the file and the UsePAM line was somewhere earlier.
Peter Lozovitskiy 5 years ago
Make sure 'UseLogin yes' option presents in sshd_config file.
Simon Woodside 3 years ago
You need to close the `Match Group` block by putting `Match all` after `AllowTcpForwarding no`. Then you won't need to comment out `UsePAM` and any lines that occur later.
Nathan Jones
5 years ago
Just wanted to add that folder permissions up the directory tree need to be set a certain way.
sshd's strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable by the owner.
Source
I was having a very similar error, and fixing my directory permissions fixed the issue for me.
12 Points 1 Comments Share
jamescampbell 4 years ago
This was my issue. It worked for me by adding in specifics for the user I was adding: `Match User ftpusername` and then `ChrootDirectory %h` and then `ForceCommand internal-sftp`. I did not need to comment out UsePAM or make any other changes otherwise besides setting `chown root /home/ftpusername`. Until I did the chown, I could not connect via sftp.
Aten
8 years ago
I'm using Ubuntu LTS 12.04 and after a lot of pain, this worked for me.
My Settings for /etc/ssh/sshd_config
Subsystem sftp internal-sftp -f AUTH -l VERBOSE UsePAM yes Match group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
create group sftp:
groupadd sftp
Create user directly with new sftp group attached:
sudo useradd -d /ftpusers/HomeFolder -m UserName -g sftp -s /bin/false
set permissions for use with ssh for sftp:
chown root:root HomeFolder
chmod 755 HomeFolder
restart service:
service ssh restart
Note, the home folder for the new sftp user has to be given root owner.
9 Points 4 Comments Share
jnunn 8 years ago
you need a step after step 2 for `sudo passwd UserName` in order to set the user's password
7 years ago
I think #4 should read: service sshd restart
jwbensley 6 years ago
No on 12.04 it is "ssh" not "sshd"
Deian 5 years ago
sshd is for redhad linux
Rob Mulder
4 years ago
Here is a step by step guide to allow:
SFTP access to /home/bob/uploads for user bob
Lock bob out of SSH
Use username/passwords rather than keys:
First, edit your /etc/ssh/sshd_config file:
sudo nano /etc/ssh/sshd
Scroll down and modify:
PasswordAuthentication yes
and add this at the bottom:
Match Group sftpusers ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
Press Ctrl-X to exit and save.
Now add the user:
sudo useradd bob sudo passwd bob
Now add the groups and disable ssh:
sudo groupadd sftpusers sudo usermod -g sftpusers bob sudo usermod -s /usr/bin/rssh bob sudo usermod -d /home/bob bob
Now set permissions:
sudo chown root:root /home/bob/ sudo chmod 755 /home/bob/ sudo mkdir /home/bob/uploads sudo chown bob /home/bob/uploads sudo service sshd restart
All this is while logged in as a root user (ec2-user on Amazon Linux AMIs)
3 Points 1 Comments Share
Thamaraiselvam 4 years ago
`PasswordAuthentication yes` is solution for me
RedScourge
5 years ago
Also note when adding the Match directive to the config file, that any directives not relevant to what you are matching may stop working. Rather than commenting everything out which is not compatible, simply move any sections which includes a Match directive to the end of the config file.
Furthermore, permissions probably need to be set to 755 on the chroot directory and any parent directories, and the owner to root:root. Personally, I set up the chroot directory sshd_config to be %h, the user's home directory, and then set their home directory to where I want it to be, such as /var/www/examplewebsite.com. Some may prefer to configure a chroot home directory with a static portion followed by the username, such as /var/www/%u, however this requires ensuring your user's chroot dir matches its username, of course.
To troubleshoot connection issues, stop the ssh service, being sure to open an SSH session or two first for testing, and then start the daemon interactively in debug mode to examine the connection debug info, as this may help you identify any problems, and search up how to fix them.
Commands: service ssh stop ; /usr/sbin/sshd -d
Be sure to start ssh up again after you're done! Command: service ssh start
0 Points 0 Comments Share

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM