On 2013-04-08, Evan Root <[email protected]> wrote:
> Hello
>
> Like the subject says, I can't get sftp-internal to work. I have snips of
> the relevant
> config files below so eat your heart out and let me know if you want to see
> anything else.
>
> /etc/ssh/sshd_config:
> -------------------------------
> PermitRootLogin no
> Subsystem sftp internal-sftp
> Match Group sftpusers
> ChrootDirectory /home/%u
> --------------------------------
> Every thing else in the file is vanilla
>
> Permissions on the /home directories
> -------------------------------
> # cd /home
> # ls -l
> total 8
> drwxr-xr-x 4 dvader sftpusers 512 Apr 8 16:09 dvader
> drwxr-xr-x 3 evan evan 512 Apr 8 15:11 evan
> # ls -ld
> drwxr-xr-x 4 root wheel 512 Apr 8 16:04 .
> #
> --------------------------------
sshd_config(5):
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. All components of the pathname must be root-
owned directories that are not writable by any other user or
group. After the chroot, sshd(8) changes the working directory
to the user's home directory.
> botton of /etc/passwd
> --------------------------------
> evan:*:1000:1000:Evan Root:/home/evan:/bin/ksh
> dvader:*:1001:1001::/home/dvader:/sbin/nologin
> --------------------------------
The home directory goes *inside* the chroot directory i.e. with the
example from your config files it would be /home/username/home/username;
/home/username would be owned by root and not generally writable,
/home/username/home/username would be owned by the relevant user.
(personally I use /var/sftp/username/home/user for these..)
You might think this is slightly awkward; Redhat did too. Here's
the result: https://bugzilla.redhat.com/show_bug.cgi?id=522141
