chrooting user causes "connection closed" message when using sftp

linux centos ssh sftp chroot
19,255

These problems are always easier when debugged from the server side. I recommend starting a second server in debug mode with something like /usr/sbin/sshd -p 2222 -d. Then you can connect from your client with sftp -P 2222 user@remotehost, and expect the server to tell you why it is disconnecting. Most likely there is a permissions problem, my guess is that you aren't meeting the requirement that the home directory be owned by root.

Share:
19,255

Related videos on Youtube

George Reith
Author by

George Reith

Updated on September 18, 2022

Comments

  • George Reith
    George Reith over 1 year

    First off I am a linux newbie so please don't assume much knowledge. I am using CentOS 5.8 (final) and using OpenSSH version 5.8p1.

    I have made a user playwithbits and I am attempting to chroot them to the directory home/nginx/domains/playwithbits/public

    I am using the following match statement in my sshd_config file:

    Match group web-root-locked
         ChrootDirectory /home/nginx/domains/%u/public
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand /usr/libexec/openssh/sftp-server

    # id playwithbits returns: uid=504(playwithbits) gid=504(playwithbits) groups=504(playwithbits),507(web-root-locked)

    I have changed the user's home directory to: home/nginx/domains/playwithbits/public

    Now when I attempt to sftp in with this user I instantly get the message: connection closed

    Does anyone know what I am doing wrong?

    Edit: Following advice from @Dennis Williamson I have connected in debug mode (I think... correct me if I'm wrong).

    I have made a bit of progress by using chmod to set permissions recursively of all files in the directly to 700. Now I get the following messages when I attempt to log on (still connection refused):

    Connection from [My ip address] port 38737
debug1: Client protocol version 2.0; client software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user playwithbits service ssh-connection method none
debug1: attempt 0 failures 0
debug1: user playwithbits matched group list web-root-locked at line 91
debug1: PAM: initializing for "playwithbits"
debug1: PAM: setting PAM_RHOST to [My host info]
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user playwithbits service ssh-connection method password
debug1: attempt 1 failures 0
debug1: PAM: password authentication accepted for playwithbits
debug1: do_pam_account: called
Accepted password for playwithbits from [My ip address] port 38737 ssh2
debug1: monitor_child_preauth: playwithbits has been authenticated by privileged process
debug1: SELinux support disabled
debug1: PAM: establishing credentials
User child is on pid 3942
debug1: PAM: establishing credentials
Changed root directory to "/home/nginx/domains/playwithbits/public"
debug1: permanently_set_uid: 504/504
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype [email protected] want_reply 0
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp by user playwithbits
debug1: subsystem: cannot stat /usr/libexec/openssh/sftp-server: Permission denied
debug1: subsystem: exec() /usr/libexec/openssh/sftp-server
debug1: Forced command (config) '/usr/libexec/openssh/sftp-server'
debug1: session_new: session 0
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 3943
debug1: session_exit_message: session 0 channel 0 pid 3943
debug1: session_exit_message: release channel 0
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Received disconnect from [My ip address]: 11: disconnected by user
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
    • loislo
      loislo almost 12 years
      Can you verify that the user can get to that directory and whether that might be the issue?
    • George Reith
      George Reith almost 12 years
      @JeffFerland If I remove the chroot command and sftp in I am able to navigate to the directory with that user.
  • George Reith
    George Reith almost 12 years
    Thanks... I get the following bad ownership or modes for chroot directory component "/home/nginx/domains/" I have tried chown -R root:root /home/nginx/domains to no avail, do you know how I could fix this?
  • George Reith
    George Reith almost 12 years
    I have also chmodded recursively everything in that folder to 700
  • George Reith
    George Reith almost 12 years
    Now I have chmodded the error has changed to: debug1: subsystem: cannot stat /usr/libexec/openssh/sftp-server: Permission denied and then later it just says (after a few more messages): Received disconnect from [My IP address]: 11: disconnected by user
  • George Reith
    George Reith almost 12 years
    Thanks, I'm not sure how to check this though. I have updated my question though with debug information if that helps.
  • gkephorus
    gkephorus over 8 years
    With me I got "subsystem: cannot stat /usr/lib/openssh/sftp-server: No such file or directory", I had to change the setting "Subsystem sftp" in /usr/libexec/openssh/sftp-server, now it works (on centos-7.0)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Chroot user to an existing folder witch parent owner isn´t root
A proper way to create a chrooted SSH on CentOS 7
sshfs is failing with "remote host has disconnected"
Server unexpectedly closed network connection (sftp + putty)
SSH problems - server unexpectedly closed network connection
SFTP user can't edit or create files
Chroot SFTP - Possible to allow user to write to current (chroot) directory
Chrooted SFTP user write permissions
Rename file while using SFTP to append date
SFTP failing with "Match Group" clause