Re: a few question about sftp
On 05/01/15 09:35, Markus Rosjat wrote: well I got it running to a point were my user got loged in to his home dir. he is now chrooted to /var/sftp because this one is owned by root and not writeable for others. still can jump from home dir (well it's not really this home) /var/sftp/testsftp to the root (which is the actual home)/var/sftp is there something I can do to prevent this last no go ? The way I have done this is something like: sftpusers/mary/homedir (root) (root) (mary) ChrootDirectory /sftpusers/%u Homedirectory for user mary (and all other sftpusers) is /homedir. So, sftp locks up the chroot in /home/mary, and the user is dropped into /homedir by default, which is actually /home/mary/homedir. Now, they can read and write in their default directory (not their root), they can chdir back out of their RW directory, but see nothing else, as there is nothing to see. Another way to do it, almost simpler, is /home/mary/home/mary Now /home/mary is owned by root, /home/mary/home/mary is owned by Mary. The chroot is /home/mary, and the default directory becomes /home/mary within the chroot. almost simpler. though I admit if I saw this on a machine without understanding why, I'd think unpleasant things about the administrator. :) Nick. Am 01.05.2015 um 15:15 schrieb Nick Holland: On 05/01/15 07:07, Markus Rosjat wrote: hi there, I just do some testing with sftp access and I stumbled about some things I dont get. if I use the chroot I would asume the user cant browse to the root dir but it seems he can. Do I get the whole chroot thing wrong here ? You get the idea, but you aren't implementing it right, and thus the chroot isn't working. since I want my user to have full acces to his home I use the following setup in sshd_config Match Group sftpuser ChrootDirectory /var/sftp ForceCommand internal-sftp -d %u AllowTCPForwarding no X11Forwarding no I set sshd up to just use key auth and gave the user a nologin because I just want him to use sftp. Ichecked it with a shell so I know the key gets accepted but with the nologin and sftp I cant log in. So it seems the statement we dont need a shell for sftp is not working. are you using internal-sftp? yes I used a diffrent home dir for the sftp users and applied suggested permissions and ownership but it doesnt seems to work /var/sftp - root:sftpuser 0100 changed that to root:wheel 0711 /var/sftp/testuser - testuser:sftpuser 0750 and I presume testuser is your login name? yeah like I said I like to give the user full access to his home the group permission may be removed if it works without man sshd_config search for ChrootDirectory. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. You aren't doing that. no I just tell ssh that the home is the directory above and move the user to his real home Yes, that looks strange. Your SFTP user's home dir they will be chrooted in has to be owned by ... ROOT! AND they can't have permissions there! (Who's home is this anyway??) someone who dont need to live in the real home ;) Now...inside that directory, you can create writable directories. There is a reason for this (of course) -- you don't want your chroot user creating a /etc and /dev et al. directories which could be influencing other chroot'ed applications. Nick.
Re: a few question about sftp
On 05/01/15 07:07, Markus Rosjat wrote: hi there, I just do some testing with sftp access and I stumbled about some things I dont get. if I use the chroot I would asume the user cant browse to the root dir but it seems he can. Do I get the whole chroot thing wrong here ? You get the idea, but you aren't implementing it right, and thus the chroot isn't working. I set sshd up to just use key auth and gave the user a nologin because I just want him to use sftp. Ichecked it with a shell so I know the key gets accepted but with the nologin and sftp I cant log in. So it seems the statement we dont need a shell for sftp is not working. are you using internal-sftp? I used a diffrent home dir for the sftp users and applied suggested permissions and ownership but it doesnt seems to work /var/sftp - root:sftpuser 0100 /var/sftp/testuser - testuser:sftpuser 0750 and I presume testuser is your login name? man sshd_config search for ChrootDirectory. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. You aren't doing that. Yes, that looks strange. Your SFTP user's home dir they will be chrooted in has to be owned by ... ROOT! AND they can't have permissions there! (Who's home is this anyway??) Now...inside that directory, you can create writable directories. There is a reason for this (of course) -- you don't want your chroot user creating a /etc and /dev et al. directories which could be influencing other chroot'ed applications. Nick.
Re: a few question about sftp
well I got it running to a point were my user got loged in to his home dir. he is now chrooted to /var/sftp because this one is owned by root and not writeable for others. still can jump from home dir (well it's not really this home) /var/sftp/testsftp to the root (which is the actual home)/var/sftp is there something I can do to prevent this last no go ? Am 01.05.2015 um 15:15 schrieb Nick Holland: On 05/01/15 07:07, Markus Rosjat wrote: hi there, I just do some testing with sftp access and I stumbled about some things I dont get. if I use the chroot I would asume the user cant browse to the root dir but it seems he can. Do I get the whole chroot thing wrong here ? You get the idea, but you aren't implementing it right, and thus the chroot isn't working. since I want my user to have full acces to his home I use the following setup in sshd_config Match Group sftpuser ChrootDirectory /var/sftp ForceCommand internal-sftp -d %u AllowTCPForwarding no X11Forwarding no I set sshd up to just use key auth and gave the user a nologin because I just want him to use sftp. Ichecked it with a shell so I know the key gets accepted but with the nologin and sftp I cant log in. So it seems the statement we dont need a shell for sftp is not working. are you using internal-sftp? yes I used a diffrent home dir for the sftp users and applied suggested permissions and ownership but it doesnt seems to work /var/sftp - root:sftpuser 0100 changed that to root:wheel 0711 /var/sftp/testuser - testuser:sftpuser 0750 and I presume testuser is your login name? yeah like I said I like to give the user full access to his home the group permission may be removed if it works without man sshd_config search for ChrootDirectory. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. You aren't doing that. no I just tell ssh that the home is the directory above and move the user to his real home Yes, that looks strange. Your SFTP user's home dir they will be chrooted in has to be owned by ... ROOT! AND they can't have permissions there! (Who's home is this anyway??) someone who dont need to live in the real home ;) Now...inside that directory, you can create writable directories. There is a reason for this (of course) -- you don't want your chroot user creating a /etc and /dev et al. directories which could be influencing other chroot'ed applications. Nick. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
