Talk:SFTP chroot

From ArchWiki
Jump to: navigation, search

I added a note to the bottom about ownership/permissions issues sshd can give you when you're setting it to chroot. I followed this guide and ran into a problem where no matter what I seemed to do sshd would keep rejecting sftp connections. Turns out it won't allow you to chroot to directories that don't have what it considers secure permissions.

This is my first edit on this wiki btw. MaBeef 05:31, 18 December 2009 (EST)

This is also my first blurb. I was also having problems logging in to sftp/chroot with an ssh key. Using OpenSSH_5.3p1 I tried a few things and finally got a configuration to work. In sshd_config, I set:
AuthorizedKeysFile      /etc/ssh/authorized_keys/%u
Subsystem sftp internal-sftp
Match Group ftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
PubkeyAuthentication yes
AllowTCPForwarding no
X11Forwarding no
Then for the IDs I wanted to give ssh key trust to, in this example fbestert, created the directory specified in the ChrootDirectory entry in sshd_config. It said ChrootDirectory /home/%u so put it in /home/fbestert. This directory looks like:
drwxr-x---. 5 root ftponly 4096 Jan 21 17:09 fbestert
THIS IS NOT fbestert's HOME DIRECTORY IN /etc/password! The passwd file entry looks like this:
fbestert:x:9999:400:Fester Bestertester:/etc/ssh/authorized_keys/fbestert:/bin/false
where 400 is the GID for ftponly, the group specified in sshd_config's Match Group value. This "home" directory looks like this:
"drwx------ 3 fbestert ftponly 4096 Jan 21 17:05 /etc/ssh/authorized_keys/fbestert"
and it has the normal .ssh subdirectory underneath it with the authorized_keys file which contains the ssh public keys, as usual. —This unsigned comment is by Fbester (talk) 22:08, 22 January 2015‎. Please sign your posts with ~~~~!

Note that you can also use keyword AuthorizedKeysFile inside Match block. Otila (talk) 22:45, 23 February 2015 (UTC)