SFTP chroot problem.

aamir4u — Thu, 02 Feb 2012 08:23:17 GMT

Hi,

I made a user1 on sftp

For example:--

02.Create a user called "user1" and setup password for that user

03. Make sure that user is able to login to the system using his password

04. Make the user to sftponly user by running the following command. Follow the instructions.

    # /opt/ssh/utils/ssh_chroot_setup.sh

05 . The /ftproot . directory was created on ? directory.
06. Copy /opt/ssh/utils/sftponly to /bin and /ftproot/bin directory

    # cp /opt/ssh/utils/sftponly
    # cp /opt/ssh/utils/sftponly /ftproot/bin/sftponly

07. Add /bin/sftponly entry to /etc/shells file

    # echo "/bin/sftponly" >> /etc/shells

08. Modify the user1's home directory and shell in /etc/password as follows.

    user1:x:1000:1000:chrooted user:/ftproot/./home/user1:/bin/sftponly

09. Make sure the user1 home directory is created if not already created

    # mkdir -p /ftproot/home/user1
    # chown user1 ftproot/home/user1

09. Now, the user is jailed within /ftproot directory. Also, user1 can not login to the system using ssh since his shell is set as /bin/sftponly.

I made a user But its still change a directory and see the other directory.

How can chroot apply and user1 see its only its contents or filesystem.

Please see it.

Thanks

Re: SFTP chroot problem.

Uday_S_Ankolekar — Fri, 03 Feb 2012 21:12:34 GMT

Have you configured sshd_config for

for EX:

Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem sftp internal-sftp
Match group guests
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match

Re: SFTP chroot problem.

aamir4u — Sat, 04 Feb 2012 12:36:14 GMT

Thanks for advice.

But i made changed configuration on sshd_config

But still user see the othe file system on root .

Thanks

Re: SFTP chroot problem.

aamir4u — Sat, 04 Feb 2012 12:53:27 GMT

Hi,

Please see my sshd_config configuration.

vi /opt/ssh/etc/sshd_config
"/opt/ssh/etc/sshd_config" [Read only] 182 lines, 4836 characters
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#CountKeyAuthBadLogins no

# Auth selection

#HostbasedAuthAllowUsers
#HostbasedAuthDenyUsers
#PubkeyAuthAllowUsers
#PubkeyAuthDenyUsers
#KerberosAuthAllowUsers
#KerberosAuthDenyUsers
#KerberosOrLocalPasswdAllowUsers
#KerberosOrLocalPasswdDenyUsers
#PasswordAuthAllowUsers
#PasswordAuthDenyUsers
#ChallRespAuthAllowUsers [pam] user1 user2 ...
#ChallRespAuthDenyUsers [pam] user1 user2 ...
#ChallRespAuthAllowUsers [bsdauth] user1 user2 ...
#ChallRespAuthDenyUsers [bsdauth] user1 user2 ...
#ChallRespAuthAllowUsers [skey] user1 user2 ...
#ChallRespAuthDenyUsers [skey] user1 user2 ...
#ChallRespAuthAllowUsers [securid] user1 user2 ...
#ChallRespAuthDenyUsers [securid] user1 user2 ...
#GSSAPIAuthAllowUsers
#GSSAPIAuthDenyUsers

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding yes
#X11Forwarding no
#X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#EnforceSecureTTY no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#ChrootDirectory /opt/anonftp
# no default banner path
#Banner none

#The following are HPN related configuration options
#tcp receive buffer polling. enable in autotuning kernels
#TcpRcvBufPoll no

# allow the use of the none cipher
#NoneEnabled no

# disable hpn performance boosts.
HPNDisabled yes

# buffer size for hpn to non-hn connections
#HPNBufferSize 2048

# override default of no subsystems
#Subsystem sftp /opt/ssh/libexec/sftp-server
Subsystem sftp internal-sftp

# sftp-server umask control
#SftpUmask

#SftpPermitChmod yes
#SftpPermitChown yes

# the following are HPN related configuration options
# tcp receive buffer polling. enable in autotuning kernels
#TcpRcvBufPoll no

# allow the use of the none cipher
#NoneEnabled no

# disable hpn performance boosts.
#HPNDisabled no

# buffer size for hpn to non-hn connections
#HPNBufferSize 2048

# Example of overriding settings on a per-user basis
#Match User anoncvs
Match User sftpuser
Match group guests
X11Forwarding no
#Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp internal-sftp
AllowTcpForwarding no
#ForceCommand cvs server
ForceCommand internal-sftp
#ChrootDirectory /opt/anonftp
#ChrootDirectory /home/%u
ChrootDirectory /newroot/home/sftp1
Match
"/opt/ssh/etc/sshd_config" 182 lines, 4844 characters
uatdata1 /etc/rc.config.d#
uatdata1 /etc/rc.config.d#/sbin/init.d/secsh start
uatdata1 /etc/rc.config.d#

And see my passwd configuration:-

sftp1:9MNRuoBMAVi26:110:20:chrooted user:/newroot/./home/sftp1:/bin/sftponly

But when i ftp 192.168.6.5

and run cd /

user still the content of server or filesysem.

Thanks for future.

Re: SFTP chroot problem.

aamir4u — Mon, 06 Feb 2012 10:15:24 GMT

Hi,

Please see my trail messages and

you have any solution of my topic so,

please give me an example.

Thanks

topic Re: SFTP chroot problem. in Operating System - HP-UX

SFTP chroot problem.

Re: SFTP chroot problem.

Re: SFTP chroot problem.

Re: SFTP chroot problem.

Re: SFTP chroot problem.