View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Restricted SFTP Access
Log in to Ask a Question

Restricted SFTP Access

general

hey all,

i want to restrict a users of a certain group to their home directories.

i've tried the following in sshd_config

Subsystem sftp internal-sftp

Match group filetransfer
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

And the following commands:

usermod -G filetransfer username
chown root:root /home/username
chmod 755 /home/username

cd /home/username
mkdir docs public_html
chown username:username *

But after restarting ssh the user could not log in at all

9 Replies

Do you use PasswordAuthentication?

If PasswordAuthentication is off above, you either need to add a "PasswordAuthentication on" line to your match section, or add the .ssh/authorized_keys file to your sftp jail.

yes,

PasswordAuthentication yes

What error are you getting when you try to ssh in? I'd recommend logging in with the -v flag (ssh -v), and also checking any errors in /var/log/auth.log on your server.

I'll add that you probably want to strongly consider setting up pubkey authentication for your server. It's really not that much harder than password auth to setup, and the gains in security are considerable.

I personally use pubkey for my shell logins, and password for sftp jails.

i actually want this user to only be able to sftp so, im not sure if this matters but…

ssh -v provides the following:

$ ssh -v chris@domain.com

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to domain.com [111.111.111.111] port 22.
debug1: Connection established.
debug1: identity file /Users/matt/.ssh/identity type -1
debug1: identity file /Users/matt/.ssh/id_rsa type 1
debug1: identity file /Users/matt/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'domain.com' is known and matches the RSA host key.
debug1: Found key in /Users/matt/.ssh/known_hosts:14
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/matt/.ssh/identity
debug1: Offering public key: /Users/matt/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/matt/.ssh/id_dsa
debug1: Next authentication method: password
chris@domain.com's password:

but you can see the identity file is coming from user "matt" when "chris" is trying to log in. is that expected?

after entering the pw (i'm sure it's correct because it works with the match disabled) i get this error in auth.log

Nov  4 15:21:48 localhost sshd[21514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cpe-11-11-11-111.nyc.res.rr.com  user=chris
Nov  4 15:21:51 localhost sshd[21514]: Failed password for chris from 11.11.11.111 port 43647 ssh2

sftp just error is failed password too.

It says Matt because that's who you're logged onto your computer as. It's checking your local home folder for public keys.

From what I'm seeing, if you're sure you've got the right pass, it should work.

this is what happens after the pw is entered:

debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
Read from remote host domain.com: Connection reset by peer
Connection to domain.com closed.
Transferred: sent 1632, received 1800 bytes, in 0.1 seconds
Bytes per second: sent 31776.9, received 35048.1
debug1: Exit status -1

Do you have a white/black list in your sshd_config (i.e. AllowUsers etc)? That might cause some of those messages you listed above.

Try setting your servers log level to debug in sshd_config then check /var/log/auth.log it might provide more clues.

i'm not sure why, but after rebooting the linode it works!

this lead me to the next issue.

i wanted a user to have access to a folder outside of his home directory.

i looked into symlinks but it seems that that's the wrong utility for this situation.

so i used

mount -o bind /outside /home/user/outside

this does the trick! but i'm unsure about how to make this persistant.

i added this to /etc/fstab but i'm not sure if that was the right move, although it seems to work.

/srv/www/shared /home/chris/shared none bind

now, if anyuser tries to download a handful of files via sftp port 22 timesout and closes.

i'm not sure how to to even begin debugging this issue, so any help would be appreciated.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct