In a previous article we demonstrated the process involved in configuring a chrooted sftp account on a Linux system.
Although the process is fairly straightforward you might face issues during the setup if you do not follow the steps exactly to the tee or if you are consulting multiple sources. In this article, we’ll describe three common troubleshooting scenarios due to which your chrooted sftp configuration might fail.
Scenario 1: Incorrect ownership and permissions:
A chrooted setup demands that the user home directory must be owned by root. Let us consider the user we tested in our previous article. The user name was sahil for which the chrooted home directory was /chroots/sahil/ and the directory accessible to the user as it’s home directory was /chroots/sahil/myhome. For the setup to work correctly the directory /chroots/sahil/ should be root owned. In case the owner of the chrooted home directory is the user itself as shown below then the setup will not work:
[root@linuxnix ~]# ls -ld /chroots/sahil/ drwxr-xr-x. 3 sahil root 4096 Jul 19 22:42 /chroots/sahil/ [root@linuxnix ~]#
If we try to login as the user sahil using sftp we face the following error:
[root@linuxnix ~]# sftp sahil@linuxnix Connecting to linuxnix... sahil@linuxnix's password: Write failed: Broken pipe Couldn't read packet: Connection reset by peer [root@linuxnix ~]#
If we take a look at the /var/log/secure file we’ll find the following error message logged for our login attempt:
Jul 20 06:48:14 linuxnix sshd: Accepted password for sahil from 192.168.19.128 port 44703 ssh2 Jul 20 06:48:14 linuxnix sshd: pam_unix(sshd:session): session opened for user sahil by (uid=0) Jul 20 06:48:14 linuxnix sshd: fatal: bad ownership or modes for chroot directory "/chroots/sahil" Jul 20 06:48:14 linuxnix sshd: pam_unix(sshd:session): session closed for user sahil [root@linuxnix ~]#
The credentials we supplied were correct but we were denied login due to bad ownership since the chrooted home directory /chroots/sahil was not owned by root.
Another common step we are familiar with while creating user accounts is that the users’ home directory must not be accessible by others. But in case of a chrooted sftp setup if the home directory /chroots/sahil or /home/sahil is not accessible to others then the user itself will not have permissions to perform any action. To demonstrate I setup the permissions of the directory /chroots/sahil/ to 750.
[root@linuxnix ~]# ls -ld /chroots/sahil/ drwxr-x---. 3 root root 4096 Jul 19 22:42 /chroots/sahil/ [root@linuxnix ~]#
Now when I try to login as the user sahil, I’m able to do so but I get a permission denied error when I execute the ls command:
[root@linuxnix ~]# sftp sahil@linuxnix Connecting to linuxnix... sahil@linuxnix's password: sftp> ls Couldn't get handle: Permission denied sftp> pwd Remote working directory: / sftp> ^D
Scenario 2: SELinux is enabled
In case you have SELinux running in enforcing mode you will need to run the below command to allow users to be able to write into their chrooted home directories:
# setsebool -P ssh_chroot_rw_homedirs on
If you do not execute the above command then you’ll get permission denied errors if you run any command durng your sftp session.
[root@linuxnix ~]# sftp sahil@linuxnix Connecting to linuxnix... sahil@linuxnix's password: sftp> ls Couldn't get handle: Permission denied sftp> ls Couldn't get handle: Permission denied sftp> pwd Remote working directory: /myhome sftp> ^D
The alternative to this would be disabling SELinux altogether which is not recommended.
Scenario 3: Chroot configuration in /etc/ssh/sshd_config file
One is likely to run into this if they are using multiple sources/guides/tutorials for setting up their chroot environment. The common error points are Match Group and ChrootDirectory. The chroot configuration we used is as follows:
Subsystem sftp internal-sftp Match Group sftpusers X11Forwarding no AllowTcpForwarding no ChrootDirectory /chroots/%u ForceCommand internal-sftp
You must mention the appropriate group to match and ensure that all chrooted sftp users are members of this group otherwise they will not be able to login. The ChrootDirectory must have the correct location of the chroot home directory to point to. Note there are other methods of specifying the ChrootDirectory apart from the one we’ve discussed here.
In this article, we explained some of the troubleshooting scenarios you are likely to run into while configuring chrooted sftp user accounts. In case you run into a different error please share the same with us so that we may update this article with the error description and the troubleshooting steps performed to resolve it.
Latest posts by Sahil Suri (see all)
- Docker networking basics explained - September 20, 2019
- How to push an image to Docker hub - September 18, 2019
- Ansible: insert a line after a string using lineinfile module - September 17, 2019
- Common Docker image and container management commands - September 16, 2019
- Docker Container life cycle explained - September 9, 2019