SSH - ChrootDirectory not working
Your permissions on /
are too open.
I wonder how you ended up with that.
That should be 0755
.
So you'll need to change that.
The rest looks OK.
Related videos on Youtube
![Jonathan Gaudé](https://lh3.googleusercontent.com/-r3IHuSrG7x0/AAAAAAAAAAI/AAAAAAAAABw/HHiCC-T1Z9M/photo.jpg?sz=256)
Jonathan Gaudé
Updated on September 18, 2022Comments
-
Jonathan Gaudé almost 2 years
I am trying to chroot a "test" user (group sftp) to /home/test. I've added the following lines at the end of my sshd_config:
Subsystem sftp internal-sftp Match User test ChrootDirectory /home/test X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
home
andtest
directories have 755 permissions and are owned by root. I have also tried withChrootDirectory /home
.root@Debian:/# namei -l /home/test f: /home/test drwxrwxrwx root root / drwxr-xr-x root root home drwxr-xr-x root root test
I am unable to connect to the server via SFTP or SSH (whether I include
Subsystem sftp internal-sftp
andForceCommand internal-sftp
or not). As soon as I log in I get the following message:Write failed: Broken pipe
... and the following is appended to auth.log:
May 12 13:48:29 Reach sshd[25503]: Accepted password for test from 192.168.0.10 port 51058 ssh2 May 12 13:48:29 Reach sshd[25503]: pam_unix(sshd:session): session opened for user test by (uid=0) May 12 13:48:29 Reach sshd[25505]: fatal: bad ownership or modes for chroot directory component "/" May 12 13:48:29 Reach sshd[25503]: pam_unix(sshd:session): session closed for user test
Apparently the problem is it's trying to chroot to "/" when it should be "/home/test". What am I missing ? I've left the rest of sshd_config to default values, and there is no other ChrootDirectory directive...
Thank you.
-
faker about 9 yearsCan you include the output of
namei -l /home/test
in your question? -
Jonathan Gaudé about 9 yearsEdited my question.
-
-
Jonathan Gaudé about 9 yearsAhhh indeed, thank you, I didn't even bother checking... The server is a Synology NAS, I guess the Synology file server must have messed with the permissions somehow. Much work to do now...