SSH and SFTP Permission Setup

Question

I'm trying to setup SFTP on my ubuntu server and I'm encountering a problem. When I set up a group in sshd_config file to chroot people to their home directories the user in the group cannot access the server via SSH and this error comes up "software caused connection abort" and sometimes "No directory found".

I'm pretty sure it is to do with permissions but I'm not sure what. I've disabled the UFW for testing so it isn't that. Any help would be gratefully appreciated. Thanks.

Here's what I added to the sshd_config file:

Match Group webadmins
    ChrootDirectory %h
    X11Forwarding no
    AllowTopForwarding no

I left these bottom two commented as I'm just concerned about the ChrootDirectory.

score 0 · Accepted Answer · answered Apr 17 '15 at 15:40

0

If you're chrooting the users, you should either use ForceCommand internal-sftp or set up a shell (along with everything it needs) in each home directory. If neither of these was done, SSH won't be able to login the user.

answered Apr 17 '15 at 15:40

muru

197,895
55
485
740

I had previously had ForceCommand internal-sftp in there but I removed it for testing. Even when it's in I can only connect via SSH if I remove myself from the group "webadmins". What do you mean by setup a shell in each home directory? – Philip Crocker Apr 17 '15 at 15:44
@PhilipCrocker if you're in webadmins, you will only be able to use SFTP. As for setting up a shell, something like http://askubuntu.com/questions/93411/simple-easy-way-to-jail-users. – muru Apr 17 '15 at 15:46
@ muru What would you suggest doing if I wanted to use SSH and SFTP and restrict users to their home directory? – Philip Crocker Apr 17 '15 at 15:49
@PhilipCrocker the linked post on jaling users, I suppose. If you just want to make an excpetion for yourself, that can be done easily: Match Group webadmins User *,!<your-username> should do exclude you from that match block. – muru Apr 17 '15 at 15:53
Yeah that would do fine, as I'm the admin so I don't want to be chrooted anyway. Sorry what is the syntax you used? – Philip Crocker Apr 17 '15 at 15:56
User *,! – Philip Crocker Apr 17 '15 at 15:56
@PhilipCrocker it's one line. – muru Apr 17 '15 at 15:58
Match Group webadmins User *,!philip – Philip Crocker Apr 17 '15 at 16:00
@PhilipCrocker yes, that would be it. – muru Apr 17 '15 at 16:06
1

Why did you use the astrisk and comma? – Philip Crocker Apr 17 '15 at 16:14
@PhilipCrocker originally read it here. Turns out *, isn't needed. – muru Apr 17 '15 at 16:16
Brilliant I can now SSH and SFTP in! However other users cannot access SFTP. Hmm – Philip Crocker Apr 17 '15 at 16:25
@PhilipCrocker yes, as I said, that was an exception for you. – muru Apr 17 '15 at 16:41
Oh I thought you meant that I would be the only user allowed to use both whilst other users could use SFTP; – Philip Crocker Apr 17 '15 at 16:47
@PhilipCrocker if you want to restrict the other users to SFTP only (no SSH), then use ForceCommand as noted above. – muru Apr 17 '15 at 16:52
Hmm nope, other users cannot connect via SFTP, it says "software caused connection abort" any advice from here. – Philip Crocker Apr 17 '15 at 17:33

score 0 · Answer 2 · answered Apr 17 '15 at 18:04

0

The directory you are chrooting (in your case %h) should be owned by user root. Use command sudo chown root.root %h

answered Apr 17 '15 at 18:04

bbpd

1

SSH and SFTP Permission Setup

2 Answers2