Is it possible to allow key based authentication for sshd_config chroot sftp users?
Put your keys outside chroot (they are used before chroot any way). For example put your keys in /etc/ssh-pool/user.pub and change you config:
AuthorizedKeysFile /etc/ssh-pool/%u.pub
Related videos on Youtube
Ted LeRoy
Updated on September 18, 2022Comments
-
Ted LeRoy almost 2 years
I'm running an Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-generic x86_64) Server, with OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
I'd like to configure chroot for sftp access using settings in /etc/ssh/sshd_config, with key based authentication.
I've followed the tutorial here: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
That tutorial helped me get sftp working with password authentication. I've modified the /etc/ssh/sshd_config file and copied the keys to try to get key based authentication working, but so far, no luck.
Relevant parts of my /etc/ssh/sshd_config file:
# Change to no to disable tunnelled clear text passwords PasswordAuthentication yes # Of course, I'd like to change this to no once key-based auth is working # Commenting for chroot use #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys
I've put the key in /sftp/testuser/incoming/.ssh/authorized_keys and experimented a bit by putting it in different directories. I've ensured that the rights are 600 on the authorized_keys file and that testuser owns it:
-rw------- 1 testuser sftpusers 616 Sep 21 09:20 authorized_keys
Here's the entry in /etc/passwd for the testuser:
testuser:x:1008:1010::/incoming:/usr/lib/openssh/sftp-server
-
Ted LeRoy almost 12 yearsThanks RJS. I'm working on getting it going as you describe.
-
kajman over 11 yearsThanks, you helped me a lot! Was looking for the answer for few hours, only your suggestion helped! Thanks again!