tschlichter
asked on
Chroot Group Jail Help
I'm trying to create a chroot group on a 10.7.5 server. I found a lot of how to guides around the web for single user jails, which I can get to work. However when I try to create a group under the same instructions I cannot log in, instead the connection is refused with the error - ssh_exchange_identificatio
sudo su
chmod g-w /
mkdir /chroot
mkdir /chroot/video
chmod g-w /chroot
chmod g-w /chroot/video
chown root /
chown root /chroot
chown root /chroot/video
mkdir /chroot/video/landing_pad
chown 'my user name' /chroot/video/landing_pad
chmod 700 /chroot/video/landing_pad
then in the /etc/sshd_config i added these lines -
Subsystem sftp internal-sftp
Match User 'my user name'
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /chroot/video
Laslty, I added my user to the SACL list for SSH. Everything works perfectly. However when I try the same with a group it does not. I do almost everything the same, create a group in workgroup manger, populate the group, add it to SACL for SSH, etc. The difference I used in creating the jail is -
chown :sftpgroup /chroot/video/Landing_Pad
chmod 770 /chroot/video/landing_pad
and then in sshd_config -
Match Group sftpgroup
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/video
When I turn off this match in favor of the singe user it works again. So something is apparently wrong with the syntax of the sshd fro the group.
Any help or insight would be appreciated.
sudo su
chmod g-w /
mkdir /chroot
mkdir /chroot/video
chmod g-w /chroot
chmod g-w /chroot/video
chown root /
chown root /chroot
chown root /chroot/video
mkdir /chroot/video/landing_pad
chown 'my user name' /chroot/video/landing_pad
chmod 700 /chroot/video/landing_pad
then in the /etc/sshd_config i added these lines -
Subsystem sftp internal-sftp
Match User 'my user name'
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /chroot/video
Laslty, I added my user to the SACL list for SSH. Everything works perfectly. However when I try the same with a group it does not. I do almost everything the same, create a group in workgroup manger, populate the group, add it to SACL for SSH, etc. The difference I used in creating the jail is -
chown :sftpgroup /chroot/video/Landing_Pad
chmod 770 /chroot/video/landing_pad
and then in sshd_config -
Match Group sftpgroup
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/video
When I turn off this match in favor of the singe user it works again. So something is apparently wrong with the syntax of the sshd fro the group.
Any help or insight would be appreciated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you both for your responses. I apologize for not have gotten back to this until now. Other events over took my time.
Wilder_Admin - setting TCP forward to yes doesn't seem to have helped.
Arnold - the sftp group would be additional. When I turn on the group access in sshd_config i cannot connect at all either with the single user account or a group user. I've tried turning the single user off with group on, and having both user and group on, but the connection is always refused. As soon as I turn off group access the single user works again. I've made sure the group has ssh access enabled, so I don't think its that. What is the difference between primary group and additional group as it relates to this?
Thanks again for your help and guidance.
Wilder_Admin - setting TCP forward to yes doesn't seem to have helped.
Arnold - the sftp group would be additional. When I turn on the group access in sshd_config i cannot connect at all either with the single user account or a group user. I've tried turning the single user off with group on, and having both user and group on, but the connection is always refused. As soon as I turn off group access the single user works again. I've made sure the group has ssh access enabled, so I don't think its that. What is the difference between primary group and additional group as it relates to this?
Thanks again for your help and guidance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Isnt everyone's primary group automatically set to staff? More to the point, are you saying that the primary group should be the sftp group? And if so, why, if you don't mind me asking.
useradd -D
will provide the answer on your default settings
Some have it as users.
It depends on your setup. If you have users group accesses something to exclude a user from being able to access that directory must mean that the user is not a member of that group.
creating a new group that and setting it as the primary group of a user will limit the users access to directories that only have world read rights.
will provide the answer on your default settings
Some have it as users.
It depends on your setup. If you have users group accesses something to exclude a user from being able to access that directory must mean that the user is not a member of that group.
creating a new group that and setting it as the primary group of a user will limit the users access to directories that only have world read rights.
usermod -g sftpuser username #primary
usermod -G sftpuser username #additional
Use ssh - vvvvvvv when connecting to see what is going on during the connection attempt.