Special SFTP user with access to only one directory

If none of the more specific forums is the right place to ask

Special SFTP user with access to only one directory

Postby Scindix » 2017-04-28 15:48

I'm trying to create a setup where I have a user that is able to access the system remotely via ssh. But only to transfer files from and to a specific directory.
Based on what I found on the internet I added the following to the bottom of /etc/ssh/sshd_config or respectively edited the parts that were already there.

Code: Select all
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AllowUsers www-data root my_new_sftp_user
Match Group sftp
    ChrootDirectory %h
    ForceCommand /usr/lib/openssh/sftp-server
    AllowTcpForwarding no


But it doesn't work. From a remote PC I can log in as www-data or root but not as my_new_sftp_user. I tried via gnome nautilus and filezilla. Filezilla has the more descriptive error message:
Code: Select all
Command:   open "my_new_sftp_user@example.com" 22
Command:   Trust new Hostkey: Once
Command:   Pass: ***
Error:   Server unexpectedly closed network connection
Error:   Could not connect to server


I'm happy to provide more information. But as I don't really know what is going on this is everything for now.
Does anyone know what stops me from being able to connect to my server? What can I do to achieve what I want?
Thanks in advance
Scindix
 
Posts: 4
Joined: 2017-02-07 07:05

Re: Special SFTP user with access to only one directory

Postby cronoik » 2017-04-28 16:26

There are a few things you can check. Is the login shell set correctly:
Code: Select all
cat /etc/passwd | grep my_new_sftp_user

What is the output of:
Code: Select all
ssh -v my_new_sftp_user@example.com

Have you checked if the user is expired:
Code: Select all
chage -l my_new_sftp_user

Please check /var/log/auth.log as well.
Have a nice day!
cronoik
 
Posts: 205
Joined: 2015-05-20 21:17

Re: Special SFTP user with access to only one directory

Postby Scindix » 2017-04-28 22:09

The user is not expired.
Code: Select all
# chage -l my_new_sftp_user
Last password change               : Apr 27, 2017
Password expires               : never
Password inactive               : never
Account expires                  : never
[...]

For the shell stuff: not having a shell is part of what I want. I want the user to only be able to use the sftp protocol. Thus the shell is set to /bin/false

I pretty much did what is described in here by the way:
https://askubuntu.com/questions/598870/limit-sftp-user-access-to-specified-directory
and here:
http://stackoverflow.com/questions/23099860/create-a-sftp-user-to-access-only-one-directory

As a result you can't use a plain ssh command. (which is desired)
For the sake of completeness here is the verbose output for it: https://pastebin.com/SJJFFZcp

However from my understanding it should be possible to call $ ssh -v my_new_sftp_user@example.com /usr/lib/openssh/sftp-server.
However it doesn't work as well. The output is absolutely identical with the exception that the line Connection to example.com closed. is missing at the end and it just says closed by remote host.

I had a look at /var/log/auth.log and it seems that there was a permission issue. According to https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component every node of the path provided by ChrootDirectory has to be owned by root and no other users or groups should be given write access to them. This was not met because I used the home directory %h which is /home/my_new_sftp_user and was owned by my_new_sftp_user. Now I created a subdirectory www, made it the home directory of my_new_sftp_user and set ChrootDirectory directly to /home/my_new_sftp_user.

Unfortunately the problems don't stop here. Filezilla now displays a different error message:
Code: Select all
Command:   open "my_new_sftp_user@example.com" 22
Command:   Trust new Hostkey: Once
Command:   Pass: ***
Status:   Connected to example.com
Error:   Received unexpected end-of-file from SFTP server
Error:   Could not connect to server


In /var/log/auth.log the following now shows up:
Code: Select all
Apr 28 23:21:28 servername sshd[17163]: Accepted password for my_new_sftp_user from 987.654.32.1 port 34188 ssh2
Apr 28 23:21:28 servername sshd[17163]: pam_unix(sshd:session): session opened for user my_new_sftp_user by (uid=0)
Apr 28 23:21:28 servername sshd[17165]: Received disconnect from 987.654.32.1: 11: disconnected by user
Apr 28 23:21:28 servername sshd[17163]: pam_unix(sshd:session): session closed for user my_new_sftp_user


I retried calling $ ssh -v [...] sftp-server and to my surprise it gave me the following error message:

Code: Select all
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending command: /usr/lib/openssh/sftp-server
Could not chdir to home directory /home/my_new_sftp_user/www: No such file or directory
/bin/false: No such file or directory
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1


I also tried to give this user a shell and retried again. However it prints the same message except that /bin/false is now /bin/bash.

My suspicion is that the ssh server tries to chroot to /home/my_new_sftp_user/ and then change the directory literally to /home/my_new_sftp_user/www. Which should be just www/.

As a dirty workaround I tried to change the home directory literally to "www", created a script via "mkdir bin && echo '#!/bin/bash' > bin/false && chmod +x bin/false" inside "/home/my_new_sftp_user/" and changed the shell to "bin/false"
The "Could not chdir to home directory" message is gone now. But it still complains about "bin/false" not to be existent. Even if it did work I feel like this is the wrong solution anyway.

Thanks for the help so far.
But what now?

EDIT:
I checked that the directory actually exists, of course:
Code: Select all
# su - my_new_sftp_user
$ pwd
/home/my_new_sftp_user/www
Scindix
 
Posts: 4
Joined: 2017-02-07 07:05


Return to General Questions

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable