openssh - sftp with filezilla, ChrootDirectory issue

**Zidaps** · February 8th, 2010

Hi,

I have openssh installed and it works great right out of the box. However, I don't want people accessing everything on my machine.

My machine is behind NAT and ufw firewall. I have configured both so that port 22 is open. I've added the new users I want to have limited access and assigned them to group "sambashare" (just because its convenient.)

When the bottom bit of my config file "/etc/ssh/sshd_config" is set as shown below, everything works great:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

UsePAM yes

Match Group sambashare

# ChrootDirectory /media/Media/Public
ForceCommand internal-sftp
AllowTcpForwarding no

Whenever I make the change to enable "ChrootDirectory" so that it limits the users access, I simply remove the # and it looks like this:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

UsePAM yes

Match Group sambashare

ChrootDirectory /media/Media/Public
ForceCommand internal-sftp
AllowTcpForwarding no

However, thats when I start running into problems. When I try logging in with Filezilla; I am not able to connect and this is the response I get from Filezilla:

Status: Connecting to ##.###.###.###...
Response: fzSftp started
Command: open "user@##.###.###.###" 22
Command: Trust new Hostkey: Once
Command: Pass: ********
Error: Could not connect to server

Anyone know how to get this up and running?

**joberly** · February 8th, 2010

What are the directory permissions on the Chroot'ed folder?

**Zidaps** · February 8th, 2010

Hi,
Is this what you are asking for? Its information for the disk.

drwxrwxr-x 6 zidaps sambashare 4096 2010-02-04 00:09 Media

Info on the folder I want to share is:

drwxrwxrwx 10 zidaps sambashare 4096 2010-02-04 23:55 Public

Thanks

**joberly** · February 8th, 2010

The directory in which to chroot() must be owned by root.

Change ownership and see what happens.

**Zidaps** · February 8th, 2010

Hi,

The problem persists... I've changed the owner of the folder to "root"

drwxrwxrwx 10 root sambashare 4096 2010-02-04 23:55 Public

Any other possible solutions or suggessions?
Thanks

**Zidaps** · February 9th, 2010

Ok, so this issue is solved with the help of "gsgleason" on the ubuntu irc room.

It seems as though all directories need to be root and permissions need to be non-writable...

so do the following in terminal:
for ownership

sudo chown -R root.root /media

for permissions

sudo chmod -R 755 /media

*Not only does the directory need to be root, all parent directories need to be root.

so for "/media/Media/Public"... ownership needs to be root for all - media, Media and Public.

You can do that by doing the following in terminal as shown above:

sudo chown -R root.root /media