problems with ChrootDirectory - openssh

This is a discussion on problems with ChrootDirectory - openssh ; I recently compiled/installed openssh version OpenSSH_5.0p1. I'm trying to make use of the ChrootDirectory to restrict a particular user to only be able to use sftp and in their homedir. From what I've read, I should be able to accomplish ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: problems with ChrootDirectory

  1. problems with ChrootDirectory

    I recently compiled/installed openssh version OpenSSH_5.0p1. I'm trying to make use of the ChrootDirectory to restrict a particular user to only be able to use sftp and in their homedir. From what I've read, I should be able to accomplish this by adding something like this to the sshd_config:

    Match user jsmith
    ForceCommand internal-sftp
    ChrootDirectory /space/storage/jsmith

    I created user jsmith, with his homedir being /space/storage/jsmith.

    I restarted sshd.

    When I try to connect as that user, the following is returned:

    Connection to 10.2.2.135 closed by remote host.
    Connection to 10.2.2.135 closed.

    The sshd log has an entry:
    Jul 9 21:31:12 happybox sshd[8741]: [ID 800047 local5.crit] fatal: bad ownership or modes for chroot directory "/space/storage/jsmith"

    The permissions of /space/storage/jsmith seem ok:

    drwxr-xr-x 3 jsmith other 512 Jul 9 21:19 jsmith

    The .ssh directory is 700, just like my other users (and myself) who can connect normal.

    I thought maybe the "ForceCommand internal-sftp" was giving me problems, so I removed that from the sshd_config to see if I could simply make this user have a shell account chroot'd to his homedir. But, the same error was returned.

    If I remove the entries from the sshd_config file, the user can connect fine, but not chrooted.

    Are there some specific permissions or entries in my sshd_config that I'm missing?
    Any help would be great.

    Thanks!






  2. Re: problems with ChrootDirectory

    On Wed, Jul 09, 2008 at 02:41:11PM -0700, Joseph Spenner wrote:
    > The sshd log has an entry:
    > Jul 9 21:31:12 happybox sshd[8741]: [ID 800047 local5.crit] fatal: bad ownership or modes for chroot directory "/space/storage/jsmith"
    >
    > The permissions of /space/storage/jsmith seem ok:
    >
    > drwxr-xr-x 3 jsmith other 512 Jul 9 21:19 jsmith


    Check the permissions of EVERY directory leading up to it, as well.

    ls -ld / /space /space/storage /space/storage/jsmith


  3. Re: problems with ChrootDirectory

    Hi Joseph,

    I had the same problem.

    The thing is that specyfying /space/storage/jsmith you are providing a
    / directory forr that user. You would want in this case specify
    /space/storage as ChrootDirectory and then create
    /space/storage/jsmith with 700 in it.

    Hope that helps.

    Cheers. Simon

    2008/7/9 Joseph Spenner :
    > I recently compiled/installed openssh version OpenSSH_5.0p1. I'm trying to make use of the ChrootDirectory to restrict a particular user to only be able to use sftp and in their homedir. From what I've read, I should be able to accomplish this by adding something like this to the sshd_config:
    >
    > Match user jsmith
    > ForceCommand internal-sftp
    > ChrootDirectory /space/storage/jsmith
    >
    > I created user jsmith, with his homedir being /space/storage/jsmith.
    >
    > I restarted sshd.
    >
    > When I try to connect as that user, the following is returned:
    >
    > Connection to 10.2.2.135 closed by remote host.
    > Connection to 10.2.2.135 closed.
    >
    > The sshd log has an entry:
    > Jul 9 21:31:12 happybox sshd[8741]: [ID 800047 local5.crit] fatal: bad ownership or modes for chroot directory "/space/storage/jsmith"
    >
    > The permissions of /space/storage/jsmith seem ok:
    >
    > drwxr-xr-x 3 jsmith other 512 Jul 9 21:19 jsmith
    >
    > The .ssh directory is 700, just like my other users (and myself) who can connect normal.
    >
    > I thought maybe the "ForceCommand internal-sftp" was giving me problems, so I removed that from the sshd_config to see if I could simply make this user have a shell account chroot'd to his homedir. But, the same error was returned.
    >
    > If I remove the entries from the sshd_config file, the user can connect fine, but not chrooted.
    >
    > Are there some specific permissions or entries in my sshd_config that I'm missing?
    > Any help would be great.
    >
    > Thanks!
    >
    >
    >
    >
    >



+ Reply to Thread