HPE Community
Operating System - HP-UX
1821246 Members
2735 Online
109632 Solutions
New Discussion

SFTP chroot problem.

 
aamir4u
Regular Advisor

‎02-02-2012 12:23 AM

‎02-02-2012 12:23 AM

SFTP chroot problem.

Hi,

 

I made a user1 on sftp

For example:--

 

 

02.Create a user called "user1" and setup password for that user

03. Make sure that user is able to login to the system using his password

04. Make the user to sftponly user by running the following command. Follow the instructions.

    # /opt/ssh/utils/ssh_chroot_setup.sh

05 . The   /ftproot . directory was created on ? directory.
06. Copy /opt/ssh/utils/sftponly to /bin and /ftproot/bin directory

    # cp /opt/ssh/utils/sftponly
    # cp /opt/ssh/utils/sftponly /ftproot/bin/sftponly

07. Add /bin/sftponly entry to /etc/shells file

    # echo "/bin/sftponly" >> /etc/shells

08. Modify the user1's home directory and shell in /etc/password as follows.

    user1:x:1000:1000:chrooted user:/ftproot/./home/user1:/bin/sftponly

09. Make sure the user1 home directory is created if not already created

    # mkdir -p /ftproot/home/user1
    # chown user1 ftproot/home/user1

09. Now, the user is jailed within /ftproot directory. Also, user1 can not login to the system using ssh since his shell is set as /bin/sftponly.

 

I made a user But its still change a directory and see the other directory.

 

How can chroot apply and user1 see its only its contents or filesystem.

 

Please see it.

 

Thanks 

 

 

Thanks
aamir uddin
0 Kudos
Reply
4 REPLIES 4
Uday_S_Ankolekar
Honored Contributor

‎02-03-2012 01:12 PM

‎02-03-2012 01:12 PM

Re: SFTP chroot problem.

Have you configured sshd_config for

 

for EX:

 

 

Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem sftp internal-sftp
Match group guests
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match

Good Luck..
0 Kudos
Reply
aamir4u
Regular Advisor

‎02-04-2012 04:36 AM

‎02-04-2012 04:36 AM

Re: SFTP chroot problem.

Thanks for advice.

 

But i made changed configuration on sshd_config

 

But still user see the othe file system on root .

 

Thanks

Thanks
aamir uddin
0 Kudos
Reply
aamir4u
Regular Advisor

‎02-04-2012 04:53 AM

‎02-04-2012 04:53 AM

Re: SFTP chroot problem.

Hi,

 

Please see my sshd_config configuration.

 

vi /opt/ssh/etc/sshd_config
"/opt/ssh/etc/sshd_config" [Read only] 182 lines, 4836 characters
#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#CountKeyAuthBadLogins no

# Auth selection

#HostbasedAuthAllowUsers
#HostbasedAuthDenyUsers
#PubkeyAuthAllowUsers
#PubkeyAuthDenyUsers
#KerberosAuthAllowUsers
#KerberosAuthDenyUsers
#KerberosOrLocalPasswdAllowUsers
#KerberosOrLocalPasswdDenyUsers
#PasswordAuthAllowUsers
#PasswordAuthDenyUsers
#ChallRespAuthAllowUsers [pam] user1 user2 ...
#ChallRespAuthDenyUsers  [pam] user1 user2 ...
#ChallRespAuthAllowUsers [bsdauth] user1 user2 ...
#ChallRespAuthDenyUsers  [bsdauth] user1 user2 ...
#ChallRespAuthAllowUsers [skey] user1 user2 ...
#ChallRespAuthDenyUsers  [skey] user1 user2 ...
#ChallRespAuthAllowUsers [securid] user1 user2 ...
#ChallRespAuthDenyUsers  [securid] user1 user2 ...
#GSSAPIAuthAllowUsers
#GSSAPIAuthDenyUsers


#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding yes
#X11Forwarding no
#X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#EnforceSecureTTY no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#ChrootDirectory /opt/anonftp
# no default banner path
#Banner none

#The following are HPN related configuration options
#tcp receive buffer polling. enable in autotuning kernels
#TcpRcvBufPoll no

# allow the use of the none cipher
#NoneEnabled no

# disable hpn performance boosts.
HPNDisabled yes

# buffer size for hpn to non-hn connections
#HPNBufferSize 2048

# override default of no subsystems
#Subsystem      sftp    /opt/ssh/libexec/sftp-server
Subsystem       sftp    internal-sftp

# sftp-server umask control
#SftpUmask

#SftpPermitChmod yes
#SftpPermitChown yes

# the following are HPN related configuration options
# tcp receive buffer polling. enable in autotuning kernels
#TcpRcvBufPoll no

# allow the use of the none cipher
#NoneEnabled no

# disable hpn performance boosts.
#HPNDisabled no

# buffer size for hpn to non-hn connections
#HPNBufferSize 2048

# Example of overriding settings on a per-user basis
#Match User anoncvs
Match User sftpuser
Match group guests
X11Forwarding no
#Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp internal-sftp
AllowTcpForwarding no
#ForceCommand cvs server
ForceCommand internal-sftp
#ChrootDirectory /opt/anonftp
#ChrootDirectory /home/%u
ChrootDirectory /newroot/home/sftp1
Match
"/opt/ssh/etc/sshd_config" 182 lines, 4844 characters
uatdata1 /etc/rc.config.d#
uatdata1 /etc/rc.config.d#/sbin/init.d/secsh start
uatdata1 /etc/rc.config.d#

 

 

And see my passwd configuration:-

sftp1:9MNRuoBMAVi26:110:20:chrooted user:/newroot/./home/sftp1:/bin/sftponly

 

 

But when i ftp 192.168.6.5

and run cd /

 

user still the content of server or filesysem.

 

Thanks for future.

 

Thanks
aamir uddin
0 Kudos
Reply
aamir4u
Regular Advisor

‎02-06-2012 02:15 AM

‎02-06-2012 02:15 AM

Re: SFTP chroot problem.

Hi,

 

Please see my trail messages and

you have any solution of my topic so,

please give me an example.

 

Thanks

Thanks
aamir uddin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.