• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2022
  • Last Modified:

openSuse SFTP, folder restriction

I was tasked to setup an openSuse 11.1 SFTP server to replace an old Windows FTP server. I have the sftp server up and going but need to restrict users to a 'home directory'. I've followed the below steps but as soon as I move the user to the "sftp" group, the sFTP client (winSCP) wont allow them to login anymore, it just says "Authentication Failed: Network Error: Software caused connection abort.

If I take the user out of the sftp group, they can login without a problem (just not restricted to a folder)

http://blogs.techrepublic.com.com/opensource/?p=229

"To begin, ensure you have OpenSSH 4.9p1 or newer installed. Then edit /etc/ssh/sshd_config (/etc/sshd_config on some distributions) and set the following options:

Subsystem     sftp   internal-sftp

Match Group sftp

    ChrootDirectory %h

    ForceCommand internal-sftp

    AllowTcpForwarding no"

"# usermod -G sftp joe

# usermod -s /bin/false joe

# chown root:root /home/joe

# chmod 0755 /home/joe"
0
MMDeveloper
Asked:
MMDeveloper
  • 2
1 Solution
 
MMDeveloperAuthor Commented:
update, when I try to sftp via a command line I get these error messages:

fatal: bad ownership or modes for chroot directory component "/_data/"

/_data is a mount to another harddrive. Doing an "ls -l" shows that "root" owns all of /_data and it's contents. Just for S&G's I chmoded /_data and all of its contents to 777 (to remove any permission problems).

Each user has their custom home directory which is setup like this:

/_data/GIL/GIEB
/_data/GIL/GIFM
/_data/BAK/CBMW

etc etc... I want their home directories to be their "jailed" location but I keep getting these errors and I'm about to pull my hair out :(

0
 
woolmilkporcCommented:
Hi,
according to 'man sshd_config' the path pointed to by ChRootDirectory  (in sshd_config) and all its components, must be root-owned directories that are not writable by any other user or group.
I think in your case the clue is the "not-writeable by any other user or group" thing!
wmp

0
 
MMDeveloperAuthor Commented:
I found my problem.... I was trying to "write" to the chroot directory (which was not allowed).. I had to create a subfolder IN the chroot directory for the users to write to.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now