18

I've got a CentOs release 6.4 with Digital Ocean and would like to successfully create SFTP users and jail them to the user's own chroot home directory but I fear I'm making a mess of this.

I've tried a lot of things, far too many to list here really as most is probably incorrect or won't make much sense but what I feel should be the correct process and what I have tried is:-

Create a group for sftp:-

groupadd sftp

Create a user and set their home directory:-

useradd -d /var/www/vhosts/domain.com dummyuser

Set a password for the user:-

passwd dummyuser

Change the user's group to 'sftp':-

usermod -g sftp dummyuser

Set the user's shell to /bin/false:-

usermod -s /bin/false dummyuser

Edit Subsystem in sshd_config (/etc/ssh/):-

#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp

Add the following to the bottom of the sshd_config file:-

Match group sftp X11Forwarding no ChrootDirectory %h AllowTcpForwarding no ForceCommand internal-sftp

I make sure all the following directories are root:root:-

/var /var/www /var/www/vhosts /var/www/vhosts/domain.com

If I then try to log in to the server via SFTP with the user dummyuser (in WinSCP), I get the following:-

Authentication log (see session log for details): Using username "dummyuser". Authentication failed.

All I want to achieve is jailing a user to their home directory. I've also got vsftpd set up and configured. Users could log in fine but would have access to the entire server - I just haven't managed to get jailing to work at all.

Edit

Forgot to mention, I then restarted sshd also:-

service sshd restart

When the error is produced in WinSCP, their help page on this is here.

Log Results

/var/log/secure

I replaced the actual server name with server_name.

 Apr 28 14:20:56 server_name sshd[9944]: Accepted password for dummyuser from 80.194.255.4 port 44402 ssh2 Apr 28 14:20:56 server_name sshd[9944]: pam_unix(sshd:session): session opened for user dummyuser by (uid=0) Apr 28 14:20:56 server_name sshd[9946]: fatal: bad ownership or modes for chroot directory component "/var/www/vhosts/" Apr 28 14:20:56 server_name sshd[9944]: pam_unix(sshd:session): session closed for user dummyuser
Improve this question
10
  • Did you restart sshd? What is in the log files on the server? Commented Apr 28, 2014 at 14:31
  • Yes I did, sorry I forgot to add that to the end of my question (will include now). Which log file (and location) should I be looking in because I have failed to find a 'session log' file so far? Thanks. Commented Apr 28, 2014 at 14:37
  • You'll want to take a look at /var/log/secure. Commented Apr 28, 2014 at 14:40
  • Excellent, thank you - this helps (updating question with log entries). Commented Apr 28, 2014 at 14:44
  • fatal: bad ownership or modes for chroot directory component "/var/www/vhosts/" something such as this I suspected but vhosts is root:root. Commented Apr 28, 2014 at 14:46

2 Answers 2

Reset to default
15

It's a common pitfall:
All folders up to the chroot home must be owned and only writable by root user.
The folders cannot be group writable - even if the group is root.

Improve this answer
1
  • 4
    I just learnt a trick to check this conveniently: namei -l /var/www/vhosts Commented Feb 15, 2016 at 14:30
5

I found and successfully configured sftp on CentOS 6.5: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

Edit sshd config:

vim /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server (comment out the default with "#") add: Subsystem sftp internal-sftp Match Group sftp-only ChrootDirectory /var/www/%u AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp

Exit and save.

Then:

mkdir /etc/skel2 groupadd sftp-only getent group |grep sftp-only (take note the GID (Group ID). Here, in my example it's 500)

For a new user named "testuser" (member of the sftp-only group with GID 500):

useradd --base-dir /var/www --gid 500 --skel /etc/skel2 --create-home --shell /sbin/nologin testuser

(i use empty /etc/skel2 so no .bashrc etc is copied by default by CentOS)

mkdir -p /var/www/testuser/home/testuser chown root:sftp-only /var/www/testuser chmod 750 /var/www/testuser chown root:root /var/www/testuser/home chmod 755 /var/www/testuser/home chown testuser:sftp-only /var/www/testuser/home/testuser chmod 770 /var/www/testuser/home/testuser

So in this example, i made it to give secure access to external consulting firms that manage websites. You could after creating all this do:

mkdir /var/www/testuser/home/testuser/www.somesite.com chown testuser:apache /var/www/testuser/home/testuser/www.somesite.com chmod xxx (permissions to the website as needed, usually 750 so apache would get read access)

One could fine tune all this as needed.

Hope this helped!

Guy Boisvert IngTegration inc. http://www.ingtegration.com

Improve this answer
2
  • Welcome to Server Fault! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. Commented Sep 4, 2014 at 13:52
  • 1
    Since you changed sshd config, I'd suggest you restart it : service sshd restart Commented Jul 11, 2016 at 13:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.