Chrooted ssh user cannot ssh into server : broken pipe
Solution 1
Setting up chroot for general SSH access is a lot more difficult than setting up chroot for just SFTP. The "internal-sftp" feature doesn't require the SSH server to launch any external programs, so the chroot environment doesn't have to support running external programs. To provide general SSH access, you have to configure the chroot environment with additional files to let it launch external programs.
The details of setting up a chroot environment depend on the specific operating system that you're running. Here are several example pages which should give you an idea what needs to be done.
- http://allanfeid.com/content/creating-chroot-jail-ssh-access
- http://wiki.gentoo.org/wiki/Chroot (Gentoo Linux)
- https://www.gentoo.org/proj/en/base/x86/chroot.xml (Gentoo again)
- http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
- https://help.ubuntu.com/community/BasicChroot (Ubuntu)
Solution 2
ForceCommand internal-sftp
You won't be able to ssh into the system if you are forcing internal-sftp.
You likely have other configuration problems too for instance I expect you're not meeting the file user:group ownership requirements - from the documentation ...
ChrootDirectory Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user’s home directory.
Related videos on Youtube
rhand
Updated on September 18, 2022Comments
-
rhand almost 2 years
I just tried the following to add a new user, chroot the user and give him access to the folder /home/me/public_html via sftp and ssh :
##the following command are done by root or a sudo user useradd <username> ##add password for new user passwd <username> ## add user to sudo group which could be wheel or sudo depending on your setup usermod -G wheel <username> ##add user to apache as the public html folder is part of that group usermod -G apache <username> ##Edit sshd_config to chroot the user. Path here below is on Centos or Redhat and with nano editor up and running nano /etc/ssh/sshd_config ##add the end of the file add Match User <username> ChrootDirectory /path/of/choice ForceCommand internal-sftp ## control X and save service sshd restart
in sshd_config I have now
Match User <username> ChrootDirectory /home/me/public_html
ForceCommand internal-sftp has been removed as line as there is no need to not allow SSH access based upon common made here below.
When I try to log in now I see
ssh <username>@domain.com debug1: Next authentication method: password <username>@domain.com's password: debug1: Authentication succeeded (password). Authenticated to domain.com ([xx.xxx.xx.xxx]:22). debug1: channel 0: new [client-session] debug1: Requesting [email protected] debug1: Entering interactive session. Write failed: Broken pipe
Using SFTP in the log I see
Trace: Sent password Trace: Access granted Trace: Connection reset by peer Error: Connection reset by peer Error: Could not connect to server
-
user9517 about 10 yearsI don't think you quite understand how this all works. You ask a question and get answers to that question. Changing the question mid flow really doesn't help anyone. Your problem is you're not reading the documentation - honestly it's there for a reason.
-
rhand about 10 yearsI am using chroot for the first time and am pretty new to server admin business, yes. Why would I otherwise bother asking questions like these. I am trying to figure this out and have been working on adding users, adding them to groups and implementing chroot because I do not want the new user to access all for the last 2 hours. So yes, I do not get it all. But I am not just punching some code. I read and learn as much as I can and I ask for help to move on. The answer given was appreciated.
-
user9517 about 10 yearsWell, the important thing to learn when doing something new is to read the documentation. I can't stress that enough.
-
frumbert over 8 years@Iain reading the documentation is great. understanding the documentation isn't as easy for some. perhaps you could point out some key areas.
-
user9517 over 8 years@frumbert I nolonger provide Reading Manuals as a Service. If you look at mu answer I did at the time though.
-
-
user9517 about 10 yearsThen you have more problems, most likely you forgot to make /home/me/public_html owned by root with group root.
-
rhand about 10 yearsthe public_html folder I want to give the user access to is owned by apache and I added that user to it. I wonder why it should be owned by root? It is owned by another user now, but in the group apache and chmod 755. Even with 775 /
drwxrwxr-x 2 me apache 4096 Jun 18 17:42 public_html
no joy -
user9517 about 10 yearsPlease read the documentation it contains important information that you need to know and address.
-
rhand about 10 yearsI made /var/www/ root:root (folder above public folder) and /var/www/html user:apache and I made progress. Just as you mentioned I miss some essential files why external programs like SSH do not function. That is why I had the error
/bin/bash: No such file or directory
Sure I will work these out based upon your firstly added link. Thanks!