1

I want to configure user ftpuser to sftp for an existing apache owned directory /var/www/webiste

I added it as new user and made /var/www/webiste its home directory,

useradd -md /var/www/website -s /bin/bash ftpuser

in sshd_config:

Subsystem sftp internal-sftp

Match User ftpuser
    ChrootDirectory /var/www/website
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

The directory is owned now by root, and have acl permissions for www-data user:

# ls -ltr
   drwxrwx---+  5 root     root     4096 Nov  8  2012 website

# getfacl website/
   # file: website/
   # owner: root
   # group: root
   user::rwx
   user:www-data:rwx
   group::rwx
   group:www-data:rwx

But whenever i try to connect with SFTP, i get the following debug errors:

ftpuser@ftp_server's password: 
debug3: packet_send2: adding 32 (len 80 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to ftp_server ([ftp_server]:22).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cc -1)

debug1: fd 0 clearing O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
Connection to 104.237.139.76 closed by remote host.
Transferred: sent 2408, received 2020 bytes, in 0.0 seconds
Bytes per second: sent 627244.1, received 526176.5
debug1: Exit status -1
Couldn't read packet: Connection reset by peer

Any Ideas to troubleshoot that issue?

Edit:

from /var/log/authz:

fatal: bad ownership or modes for chroot directory component "/var/www/"
MohammedSimba
  • 848
  • 8
  • 20
  • 40
  • please, post the errors from the server side log, or additionally try to run server in debug mode to get some useful information – Jakuje Sep 16 '15 at 15:16
  • Edited the post, added the authz logs, kindly check it, what do you mean to run server debug mode? – MohammedSimba Sep 16 '15 at 15:23

1 Answers1

1

Using ChrootDirectory option in sshd_config requires some basic understanding of written text.

This is snapshot from manual page for sshd_config(5):

ChrootDirectory

Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

This is your error log:

fatal: bad ownership or modes for chroot directory component "/var/www/"

And when you add one and one you will understand, that not only /var/www/webiste needs to be owned by root, but also /var/www and /var directories, as mentioned many times around here.

Jakuje
  • 6,605
  • 7
  • 30
  • 37
  • Yes i already found that in all places, but my question is, if i made it for root as you just mentioned, no way apache can read this "website", so how to make both reachable, that to be owned by root and also apache can read that path – MohammedSimba Sep 17 '15 at 14:45
  • you can try the same trick with extended ACLs as you do with /var/www/webiste, can't you? But it will be also possible attack surface. SFTP is not made for such harakiri. – Jakuje Sep 17 '15 at 15:12