Howto create chrooted Openssh SFTP without shell access through rssh.

[fozzyuw]

FYI, this is much easier now that the openssh package in Interpid is above version 4.8.

rssh is no longer necessary.

see: http://www.debian-administration.org/articles/590

Actually, it is easier to get chroot with OpenSSH 4.9+ (5.1 on Ubuntu 8.10), however, you cannot set umask using this method.

For whatever reason (I cannot seem to find why or a solution) the umask is always being set at the roots umask which is "umask 133" or "rw-r--r--".

I'm trying to get it to allow groups to write any files uploaded as well... "rw-rw-r--" or "umask 113". However, I've googled several sources that have you making a script wrapper, or editing /etc/init.d/ssh to add the umask, etc.

I've yet to get one of those to work, so I'm trying this out.

My test case is transfering a txt file from windows using WinSCP to my Ubuntu box. Every file I transfer ends up with "rw-r--r--". Even when I "sudo touch somefile.txt" I get the same thing.

I'm trying rssh out to see if this will solve the problem. At least until they have some sort of default "umask" setting for OpenSSH via sftp.

[joech]

Hi,

This is a great tutorial!

I was able to set up sftp in a chrooted jail on intrepid and was running fine until after (I think) I upgraded to jaunty. Now, when I use WinSCP to access the system, I get the following error:

"Connection has been unexpectedly closed. Server sent command exit status 1.
Cannot initialize SFTP protocol. Is the host running a SFTP server?"

Any help with getting this working again is much appreciated.

Thanks
Joe

[joech]

Never mind! I was able to get it working again. It seems the upgrade process reset the setuid root step. I reran the following step from the tutorial and everything is back to the way it was before! Joy! Hopefully this will help someone else with the same issue.



In order for the chrooting process to work, "/usr/lib/rssh/rssh_chroot_helper" has to be setuid root. (Note: this path is relative to real root, not chroot root.) To setuid root, run the command:
Code:
sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper

[Stan*]

Many thanks for this howto! One try and it works Excellent work.

I've one question though: Can I chroot a user to their own home folder? Because now they can read the whole chroot-folder, above their own home folder.

Thanks in advance. Excellent post.

[jchau]

Many thanks for this howto! One try and it works Excellent work.

I've one question though: Can I chroot a user to their own home folder? Because now they can read the whole chroot-folder, above their own home folder.

Thanks in advance. Excellent post.

You're welcome. My answer is no and yes.

No, you can't hide that stuff in the chroot folder from the user with the rssh setup. They need to be accessible in order for the setup to work. That said, the steps in the tutorial removed most, if not all, of the sensitive information from the files in the chroot folder and only kept the stuff necessary for operation.

But yes, you can create an equivalent setup where only the user's home folder is accessible to the user. I just updated the main post for this thread with information on how to do this. (The reason why my original tutorial didn't take this new approach was because this new approach uses features that appeared after I wrote the original tutorial).

Basically, you use the ChrootDirectory, ForceCommand, Match, and Subsystem keywords in your sshd_config to implement the same chrooted SFTP without a shell access for a user.

I haven't tried it myself yet (and I probably won't be able to post a new Ubuntu tutorial myself since I'm using Gentoo Linux instead now), but there are many articles about how to do so; here are a few:

• OpenSSH SFTP chroot() with ChrootDirectory (from debian-administration.org).
• Chroot users with OpenSSH: An easier way to confine users to their home directories (techrepublic.com)

[narcisgarcia]

I've seen this guide for chrooted SFTP, and I've learnt from a lot of tutorials as this. Here my compendium to configure better clients and servers:

http://wiki.lapipaplena.org/index.ph..._SFTP_accesses

(special care of users and permissions)

[dkerlee]

I realize that this is years old, but I just got mine working. I was having a problem similar to this one.

My problem was in /etc/rssh.conf

I had uncommented chrootpath = '/home/chroot'

So I recommented that line, and badda bing.

I didn't want to lock this guy into /home/chroot, I wanted him to be able to log into his /home/user dir, but not grant ssh access.

Hi Jimmy,

Got it working! For your own peace of mind , here's the information you were looking for:

First, the verbose output of an sftp attempt.

Code:

user@ubuntubox:~$ sftp -v -v sft@localhost
Connecting to localhost...
OpenSSH_4.1p1 Debian-7ubuntu4.1, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1p1 Debia n-7ubuntu4.1
debug1: match: OpenSSH_4.1p1 Debian-7ubuntu4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 137/256
debug2: bits set: 483/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:8
debug2: bits set: 475/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user/.ssh/id_rsa ((nil))
debug2: key: /home/user/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
sft@localhost's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1
Connection closed

Second, the syslog entries for the sftp attempt.

Code:

user@ubuntubox:~$ sudo cat /var/log/syslog | tail -8
Apr 16 23:34:16 localhost rssh[26642]: setting log facility to LOG_USER
Apr 16 23:34:16 localhost rssh[26642]: allowing sftp to all users
Apr 16 23:34:16 localhost rssh[26642]: setting umask to 022
Apr 16 23:34:16 localhost rssh[26642]: chrooting all users to /home/chroot
Apr 16 23:34:16 localhost rssh[26642]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper "/home/chroot" 2 "/home/sft" /usr/lib/sftp-server
Apr 16 23:34:17 localhost rssh_chroot_helper[26642]: new session for sft, UID=1004
Apr 16 23:34:17 localhost rssh_chroot_helper[26642]: could not cd to user's home dir: /home/sft
Apr 16 23:34:17 localhost rssh_chroot_helper[26642]: execv() failed, /usr/lib/sftp-server: No such file or directory

Alright, I first noticed that chrooted /home/sft (i.e. /home/chroot/home/sft) could not be cd'd to, so I created a directory like that but I didn't think that would have much of an effect... and right I was. Another failure to sftp. The syslog entries for this attempt:

Code:

user@ubuntubox:~$ sudo cat /var/log/syslog | tail -7
Apr 16 23:45:29 localhost rssh[26982]: setting log facility to LOG_USER
Apr 16 23:45:29 localhost rssh[26982]: allowing sftp to all users
Apr 16 23:45:29 localhost rssh[26982]: setting umask to 022
Apr 16 23:45:29 localhost rssh[26982]: chrooting all users to /home/chroot
Apr 16 23:45:29 localhost rssh[26982]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper "/home/chroot" 2 "/home/sft" /usr/lib/sftp-server
Apr 16 23:45:29 localhost rssh_chroot_helper[26982]: new session for sft, UID=1004
Apr 16 23:45:29 localhost rssh_chroot_helper[26982]: execv() failed, /usr/lib/sftp-server: No such file or directory

Okaaaay... now it's looking for /usr/lib/sftp-server (i.e. /home/chroot/usr/lib/sftp-server). Why is it looking for that? I thought it would be looking for /lib/sftp-server (i.e. /home/chroot/lib/sftp-server). Let's have a look at the entire contents of /home/chroot

Code:

user@ubuntubox:/home/chroot$ ls -lR
.:
total 20
drwxr-xr-x  2 root root 4096 2006-04-16 07:40 dev
drwxr-xr-x  2 root root 4096 2006-04-16 23:41 etc
drwxr-xr-x  3 root root 4096 2006-04-16 23:41 home
drwxr-xr-x  3 root root 4096 2006-04-16 23:45 lib
drwxr-xr-x  4 root root 4096 2006-04-14 20:44 usr

./dev:
total 0
srw-rw-rw-  1 root root 0 2006-04-16 07:40 log

./etc:
total 76
-rw-r--r--  1 root root 56431 2006-04-14 20:44 ld.so.cache
-rw-r--r--  1 root root    63 2006-04-14 20:44 ld.so.hwcappkgs
-rw-r--r--  1 root root   465 2006-04-14 20:44 nsswitch.conf
-rw-r--r--  1 root root    64 2006-04-16 23:41 passwd
-rw-r--r--  1 root root    76 2006-04-16 23:33 passwd~

./home:
total 4
drwxr-xr-x  2 root root 4096 2006-04-16 23:41 sft

./home/sft:
total 0

./lib:
total 260
-rwxr-xr-x  1 root root 88168 2006-04-14 20:47 ld-linux.so.2
-rw-r--r--  1 root root 26332 2006-04-14 20:49 libnss_compat.so.2
-rw-r--r--  1 root root 34268 2006-03-24 14:34 libnss_files-2.3.5.so
lrwxrwxrwx  1 root root    21 2006-04-14 20:44 libnss_files.so.2 -> libnss_files-2.3.5.so
-rw-r--r--  1 root root 68084 2006-04-14 20:44 libselinux.so.1
-rwxr-xr-x  2 root root 27184 2006-04-14 20:44 sftp-server
drwxr-xr-x  3 root root  4096 2006-04-14 20:44 tls

./lib/tls:
total 4
drwxr-xr-x  3 root root 4096 2006-04-14 20:44 i686

./lib/tls/i686:
total 4
drwxr-xr-x  2 root root 4096 2006-04-14 20:44 cmov

./lib/tls/i686/cmov:
total 1408
-rw-r--r--  1 root root   21864 2006-04-14 20:44 libcrypt.so.1
-rw-r--r--  1 root root 1229936 2006-04-14 20:44 libc.so.6
-rw-r--r--  1 root root    9580 2006-04-14 20:44 libdl.so.2
-rw-r--r--  1 root root   76760 2006-04-14 20:44 libnsl.so.1
-rw-r--r--  1 root root   67364 2006-04-14 20:44 libresolv.so.2
-rw-r--r--  1 root root    9656 2006-04-14 20:44 libutil.so.1

./usr:
total 8
drwxr-xr-x  2 root root 4096 2006-04-14 20:44 bin
drwxr-xr-x  5 root root 4096 2006-04-14 20:44 lib

./usr/bin:
total 56
-rwxr-xr-x  1 root root 18960 2006-04-14 20:44 rssh
-rwxr-xr-x  1 root root 34884 2006-04-14 20:44 scp

./usr/lib:
total 92
drwxr-xr-x  3 root root  4096 2006-04-14 20:44 i686
-rw-r--r--  1 root root 77208 2006-04-14 20:44 libz.so.1
drwxr-xr-x  2 root root  4096 2006-04-14 20:44 openssh
drwxr-xr-x  2 root root  4096 2006-04-14 20:44 rssh

./usr/lib/i686:
total 4
drwxr-xr-x  2 root root 4096 2006-04-14 20:44 cmov

./usr/lib/i686/cmov:
total 1004
-rw-r--r--  1 root root 1022224 2006-04-14 20:44 libcrypto.so.0.9.7

./usr/lib/openssh:
total 28
-rwxr-xr-x  2 root root 27184 2006-04-14 20:44 sftp-server

./usr/lib/rssh:
total 8
-rwsr-xr-x  1 root root 6680 2006-04-14 20:44 rssh_chroot_helper

Right, sftp-server is present in /home/chroot/usr/lib/openssh and /home/chroot/lib/. Now, let's make a link in /home/chroot/usr/lib...

Code:

user@ubuntubox:/home/chroot$ sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/

And try to sftp in...

Code:

user@ubuntubox:~$ sftp sft@localhost
Connecting to localhost...
sft@localhost's password:
sftp> pwd
Remote working directory: /home/sft
sftp> ls
test.txt
sftp> get test.txt
Fetching /home/sft/test.txt to test.txt
/home/sft/test.txt                            100%    6     0.0KB/s   00:00
sftp> bye
user@ubuntubox:~$ cat ./test.txt
Successful sftp test!

Ta-daa! I am honestly not sure what went wrong during setup - was it because my /etc/sshd_config points at /usr/lib/sftp-server as the location of sftp-server?

Code:

user@ubuntubox:~$ cat /etc/ssh/sshd_config | grep sftp
Subsystem sftp /usr/lib/sftp-server

Anyway, I'm just glad to get it working. Thanks for your help, Jimmy!

// Dave

[narcisgarcia]

You can proceed as in my tutorial with OpenSSH, but setting chroot directory to the $HOME in /etc/ssh/sshd_config:

Code:

ChrootDirectory %h

If this is only for 1 user (not for all SFTP-only), you can write a "Match" clause for him:

Code:

Match User myname

With OpenSSH server 4.8 or above, you can avoid RSSH patch.

[vilwarin]

I am trying the sftp / rssh approach as described in this tutorial and the 11 pages following it.

I am using LDAP for users, so I think I cannot use the new OpenSSH/chroot-jail approach (linked here: http://www.debian-administration.org/articles/590), because the Match directive only seems to allow local users and groups (and not ldap)

So rssh works without chroot-jail, i.e. if I disable

Code:

#chrootpath = "/srv/ftp"

everything is working as it should. I can log on to the server with LDAP users, but cannot initiate ssh sessions. (all LDAP users have login-shell /usr/bin/rssh

However I want them restricted to the /srv/ftp directory, so I want it to work with chroot-jail. A sample sftp connection attempt looks like this

Code:

sftp -v -v harry@localhost
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/XXXXX/.ssh/id_rsa
debug1: Trying private key: /home/XXXXX/.ssh/id_dsa
debug1: Trying private key: /home/XXXXX/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
harry@localhost's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to localhost ([::1]:22).
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: fd 3 setting TCP_NODELAY
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: subsystem request accepted on channel 0
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 1736, received 1472 bytes, in 0.2 seconds
Bytes per second: sent 7993.4, received 6777.8
debug1: Exit status 1
Connection closed

/var/log/syslog looks like this

Code:

rssh[13810]: setting log facility to LOG_USER
rssh[13810]: allowing scp to all users
rssh[13810]: allowing sftp to all users
rssh[13810]: setting umask to 022
rssh[13810]: chrooting all users to /srv/ftp
rssh[13810]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
slapd[10203]: connection_read(31): no connection!

/var/log/auth

Code:

sshd[13727]: pam_sm_authenticate: Called
sshd[13727]: pam_sm_authenticate: username = [harry]
sshd[13727]: Accepted password for harry from ::1 port 36959 ssh2
sshd[13727]: pam_unix(sshd:session): session opened for user harry by (uid=0)
sshd[13809]: subsystem request for sftp by user harry
sshd[13809]: Received disconnect from ::1: 11: disconnected by user
sshd[13727]: pam_unix(sshd:session): session closed for user harry
sshd[13727]: pam_winbind(sshd:setcred): request wbcLogoffUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
sshd[13727]: pam_winbind(sshd:setcred): failed to logoff user harry: WBC_ERR_AUTH_ERROR
sshd[13727]: pam_winbind(sshd:setcred): request wbcLogoffUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATrror: PAM_USER_, Error message was: age was: 
sshd[13727]: pam_winbind(sshd:setcred): internal module error (retval = (null)(1398101057), user = 'harry')

I checked all the suggestions here, especially

Code:

mknod -m 666 /home/chroot/dev/null c 1 3

and

Code:

chmod u+s /usr/lib/rssh/rssh_chroot_helper

as these seem to have been the most common mistakes.

I also checked that all libraries listed by ldd `which sftp`
are also located under /srv/ftp/lib
and that all bins listed by
rssh -v
are where they are listed at.

Now I am really out of ideas. Does any of you know what else could be the problem, or what else I could try?

Thanks a lot!