Talk:SFTP chroot

From ArchWiki
Latest comment: 22 February 2021 by Ovsyanka in topic "UsePam yes" and "/usr/bin/nologin" shell

I added a note to the bottom about ownership/permissions issues sshd can give you when you're setting it to chroot. I followed this guide and ran into a problem where no matter what I seemed to do sshd would keep rejecting sftp connections. Turns out it won't allow you to chroot to directories that don't have what it considers secure permissions.

This is my first edit on this wiki btw. MaBeef 05:31, 18 December 2009 (EST)

This is also my first blurb. I was also having problems logging in to sftp/chroot with an ssh key. Using OpenSSH_5.3p1 I tried a few things and finally got a configuration to work. In sshd_config, I set:
AuthorizedKeysFile      /etc/ssh/authorized_keys/%u
Subsystem sftp internal-sftp
Match Group ftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
PubkeyAuthentication yes
AllowTCPForwarding no
X11Forwarding no
Then for the IDs I wanted to give ssh key trust to, in this example fbestert, created the directory specified in the ChrootDirectory entry in sshd_config. It said ChrootDirectory /home/%u so put it in /home/fbestert. This directory looks like:
drwxr-x---. 5 root ftponly 4096 Jan 21 17:09 fbestert
THIS IS NOT fbestert's HOME DIRECTORY IN /etc/password! The passwd file entry looks like this:
fbestert:x:9999:400:Fester Bestertester:/etc/ssh/authorized_keys/fbestert:/bin/false
where 400 is the GID for ftponly, the group specified in sshd_config's Match Group value. This "home" directory looks like this:
"drwx------ 3 fbestert ftponly 4096 Jan 21 17:05 /etc/ssh/authorized_keys/fbestert"
and it has the normal .ssh subdirectory underneath it with the authorized_keys file which contains the ssh public keys, as usual. —This unsigned comment is by Fbester (talk) 22:08, 22 January 2015‎. Please sign your posts with ~~~~!

Note that you can also use keyword AuthorizedKeysFile inside Match block. Otila (talk) 22:45, 23 February 2015 (UTC)Reply[reply]

Logging from chroot to journald

# mkdir /jail/dev
# touch /jail/dev/log
# mount --bind /run/systemd/journal/dev-log /jail/dev/log

testing

# logger TEST --socket /jail/dev/log

—This unsigned comment is by Vgavro (talk) 16:01, 15 March 2020‎. Please sign your posts with ~~~~!

"UsePam yes" and "/usr/bin/nologin" shell

I just tried to set up sftp access to my machine and I faced with the problem.

Default sshd_config has "UsePam yes" and default /etc/shells doesn't have "/usr/bin/nologin" entry. Consequently password authentication doesn't work for such users who have /usr/bin/nologin shell.

I believe it would be appropriate to mention that fact and suggest to either disable UsePAM or add /usr/bin/nologin to the /etc/shells.

And maybe it would be a good idea to add /usr/bin/nologin to the /etc/shells by default, but I don't know where is appropriate place to raise that question.

Ovsyanka (talk) 23:24, 22 February 2021 (UTC)Reply[reply]