chrooting user causes "connection closed" message when using sftp
These problems are always easier when debugged from the server side. I recommend starting a second server in debug mode with something like /usr/sbin/sshd -p 2222 -d
. Then you can connect from your client with sftp -P 2222 user@remotehost
, and expect the server to tell you why it is disconnecting. Most likely there is a permissions problem, my guess is that you aren't meeting the requirement that the home directory be owned by root.
Related videos on Youtube
George Reith
Updated on September 18, 2022Comments
-
George Reith over 1 year
First off I am a linux newbie so please don't assume much knowledge. I am using CentOS 5.8 (final) and using OpenSSH version 5.8p1.
I have made a user
playwithbits
and I am attempting tochroot
them to the directoryhome/nginx/domains/playwithbits/public
I am using the following
match
statement in mysshd_config
file:Match group web-root-locked ChrootDirectory /home/nginx/domains/%u/public X11Forwarding no AllowTcpForwarding no ForceCommand /usr/libexec/openssh/sftp-server
# id playwithbits
returns:uid=504(playwithbits) gid=504(playwithbits) groups=504(playwithbits),507(web-root-locked)
I have changed the user's home directory to:
home/nginx/domains/playwithbits/public
Now when I attempt to sftp in with this user I instantly get the message:
connection closed
Does anyone know what I am doing wrong?
Edit: Following advice from @Dennis Williamson I have connected in debug mode (I think... correct me if I'm wrong).
I have made a bit of progress by using
chmod
to set permissions recursively of all files in the directly to 700. Now I get the following messages when I attempt to log on (still connection refused):Connection from [My ip address] port 38737 debug1: Client protocol version 2.0; client software version OpenSSH_5.6 debug1: match: OpenSSH_5.6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.8 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-ctr hmac-md5 none debug1: kex: server->client aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user playwithbits service ssh-connection method none debug1: attempt 0 failures 0 debug1: user playwithbits matched group list web-root-locked at line 91 debug1: PAM: initializing for "playwithbits" debug1: PAM: setting PAM_RHOST to [My host info] debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user playwithbits service ssh-connection method password debug1: attempt 1 failures 0 debug1: PAM: password authentication accepted for playwithbits debug1: do_pam_account: called Accepted password for playwithbits from [My ip address] port 38737 ssh2 debug1: monitor_child_preauth: playwithbits has been authenticated by privileged process debug1: SELinux support disabled debug1: PAM: establishing credentials User child is on pid 3942 debug1: PAM: establishing credentials Changed root directory to "/home/nginx/domains/playwithbits/public" debug1: permanently_set_uid: 504/504 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype [email protected] want_reply 0 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request subsystem reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request for sftp by user playwithbits debug1: subsystem: cannot stat /usr/libexec/openssh/sftp-server: Permission denied debug1: subsystem: exec() /usr/libexec/openssh/sftp-server debug1: Forced command (config) '/usr/libexec/openssh/sftp-server' debug1: session_new: session 0 debug1: Received SIGCHLD. debug1: session_by_pid: pid 3943 debug1: session_exit_message: session 0 channel 0 pid 3943 debug1: session_exit_message: release channel 0 debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug1: channel 0: free: server-session, nchannels 1 Received disconnect from [My ip address]: 11: disconnected by user debug1: do_cleanup debug1: do_cleanup debug1: PAM: cleanup debug1: PAM: closing session debug1: PAM: deleting credentials
-
loislo almost 12 yearsCan you verify that the user can get to that directory and whether that might be the issue?
-
George Reith almost 12 years@JeffFerland If I remove the chroot command and sftp in I am able to navigate to the directory with that user.
-
-
George Reith almost 12 yearsThanks... I get the following
bad ownership or modes for chroot directory component "/home/nginx/domains/"
I have triedchown -R root:root /home/nginx/domains
to no avail, do you know how I could fix this? -
George Reith almost 12 yearsI have also
chmod
ded recursively everything in that folder to 700 -
George Reith almost 12 yearsNow I have
chmod
ded the error has changed to:debug1: subsystem: cannot stat /usr/libexec/openssh/sftp-server: Permission denied
and then later it just says (after a few more messages):Received disconnect from [My IP address]: 11: disconnected by user
-
George Reith almost 12 yearsThanks, I'm not sure how to check this though. I have updated my question though with debug information if that helps.
-
gkephorus over 8 yearsWith me I got "subsystem: cannot stat /usr/lib/openssh/sftp-server: No such file or directory", I had to change the setting "Subsystem sftp" in /usr/libexec/openssh/sftp-server, now it works (on centos-7.0)