Solved

centos vsftpd sftp and chroot jailbreak

Posted on 2013-02-01
43
1,788 Views
Last Modified: 2013-03-03
I can ftp and sftp to the server using the same username.

With ftp, I am locked in my home directory (as I want to be).
With SFTP, I can navigate the entire directory tree - root, etc, var...etc.

How can I restrict SFTP access to the same chroot as non-SFTP?
0
Comment
Question by:snowdog_2112
  • 21
  • 16
  • 5
  • +1
43 Comments
 
LVL 31

Expert Comment

by:farzanj
Comment Utility
These are two very different services.  SFTP is based on SSH and  has nothing to do with FTP.

Here are the details
http://www.thisisnotsupported.com/sftp-chrootjail-on-centos6/
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
What you can do is make sure that the user has /bin/ftp as their shell.
This way they will be able to use vsftp but will not be allowed access with sftp as was pointed out the two are separate.
sftp is a service that is part of openSSH and uses port 22.

There are dif
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
In order to chroot sftp users perform thesesteps:

- In /etc/ssh/sshd_config on the server change

Subsystem       sftp    /opt/openssh/libexec/sftp-server

to

Subsystem       sftp    internal-sftp

Assuming that the sftp users which are to be jailed are all members of the group "ftpgroup" and assuming that the home directories of those users are "/home/username" add to /etc/ssh/sshd_config on the server:

Match Group ftpgroup
      ChrootDirectory /home/%u
      ForceCommand internal-sftp
      AllowTcpForwarding no


- Under the home directory of each concerned user create a directory "home/username"  (e.g. /home/username/home/username" (sic!)

The respective user will be jailed into /home/username and their initial directory will be their home directory relative to the new root - that's why we need the directories "/home/username/home/username".

Once connected via sftp "pwd" issued by the user wil show "/home/username" which is actually "/home/username/home/username"
They can "cd" up to what appears to them as "/" but which is actually "/home/username" - their "original" home directory.

The above seems a bit complicated and confusing, but that's the way an sftp chroot jail works without changing the users' home directories in /etc/passwd.
0
 

Author Comment

by:snowdog_2112
Comment Utility
Nice!

I had edited ssh_config, not sshD_config....ugh..

I have ONE user for SFTP, and only ONE sftp user, so I set the home dir to the FTP folder.

My sftp client (FireFTP in Firefox) connects, prompts me for the cert - I accept, then it loops over and over "connecting"...then "authentication successful"...then it disconnects and repeats.

So, I think I'm *very* close on this - any suggestions?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
ssh_config is a system wide client configuration.
You need to edit sshd_config which is the sshd server settings configuration.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
This sounds more like a general ssh problem than just an sftp problem.

Could you try connecting via ssh to your box, of course with a userid different from the sftp userid?

Anyway, if there is only one user the "Match" directive in sshd_config now probably looks like this:

Match User sftpuser
      ChrootDirectory /home/%u
      ForceCommand internal-sftp
      AllowTcpForwarding no

I forgot to mention that these "Match" directives must appear at the very end of sshd_config, sorry.

What do you mean with "I set the home dir to the FTP folder"?

The home dir of sftpuser as specified in /etc/passwd or the ChrootDirectory as specified in sshd_config?

Please remember, the final directory structure on the target server must look like this:

/chroot/dir/home/dir

where /chroot/dir must match the ChrootDirectory value of sshd_config and /home/dir must match the home directory setting of sftpuser in /etc/passwd.

Another thing I forgot to mention: All components of the path specified in ChrootDirectory ("/chroot/dir") of sshd_config must be owned by root and must not be writeable by any other user or group, i.e. owner root and maximum permissions 755 ("rwxr-xr-x").

Final question: Is there a possibility in FireFTP to set up some kind of tracing or debugging mode, so we can get some meaningful output?

wmp
0
 

Author Comment

by:snowdog_2112
Comment Utility
Thanks for the followup - that clarified the issue for me - but it's still not working from the client.

I removed the user and the folders and started clean.  Now I get logged on, and fireFTp does an "ls", but I see no files and get an error putting files.  I've put a test file in each folder to see where it is dropping me, but the "ls" comes up empty each time.

Match User is at the bottom of sshd_config.

Match User jail
        ChrootDirectory /ftproot/data
        ForceCommand internal-sftp
        AllowTcpForwarding no



FTP "root" folder:  /ftproot/data
(i.e., the root to the sftp user should be /ftproot/data

rmdir /ftproot/data
(ftproot still exists)
adduser jail -g sftpusers -m -n -d /ftproot/data
passwd jail

[root@bcm ftproot]# ls -l
total 12
drwx------. 4 root root 4096 Feb  5 08:48 data
-rw-------. 1 root    root      4835 Feb  1 09:43 test.txt
[root@bcmweb01 ftproot]#

mkdir /ftproot/data/ftproot/data   (in 2 commands)
chown jail:sftpusers /ftproot/data/ftproot and /ftproot/data/ftproot/data
chmod 755 /ftproot/data/ftproot and /ftproot/data/ftproot/data


error: Expected handle
0
 

Author Comment

by:snowdog_2112
Comment Utility
one other item, I see the sftp connections in /var/log/secure, but no ftp activity is logged in /var/log/secure, nor is there an sftp log file that I can find.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Looks good so far.

Is /ftproot owned by root and writeable only by the owner "root", not by group or others?

Which command caused this last error "Expected handle "?
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
sftp is quite different from ftp, so because sftp doesn't perform any ftp activity nothing is logged in that aspect.

sftp logging in a chroot jail is not very easy to accomplish.

If you really need it we can try to set it up.
0
 

Author Comment

by:snowdog_2112
Comment Utility
pardon the noobishness, but how can verify that only root has perms on /ftproot?

I did chown root:root /ftproot.

the "put readme.txt" from fireftp gives:

expected handle: / "c:\data\readme.txt" "readme.txt"
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
ls -ld /ftproot
0
 

Author Comment

by:snowdog_2112
Comment Utility
[root@web01 ~]# ls -ld /ftproot
drwxr-xr-x. 3 root root 4096 Feb  5 08:56 /ftproot
[root@web01 ~]#

Does that help?
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
So let's put it all together:

1) There is a user "jail" whose home directory is /ftproot/data. A password has been set by root and changed by "jail" so that the user is not prompted for a password change anymore.
2) /ftproot and /ftproot/data are owned by root and writeable by owner (root) only.
3) /ftproot/data contains subdirectories /ftproot/data/ftproot and /ftproot/data/ftproot/data, both owned and writeable by "jail".
4) The user "jail" is configured in a "Match" directive in sshd_config, specifying the ChrootDirectory as /ftproot/data.
5) sshd_config contains an entry "Subsystem       sftp    internal-sftp"

If you can confirm all of the above but can't use sftp nonetheless I'd suspect a problem with your client software "FireFTP".

Do you see a chance to connect using a different client, under Windows for example PuTTY's "psftp"?
If you don't have PuTTY, here it is. It's free, and the installation is really simple.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
0
 

Author Comment

by:snowdog_2112
Comment Utility
1. correct.
2. correct, if the "ls -ld /ftproot" output verifies that.
3. correct, again the "ls -ld" on each of those shows "jail" and "sftpusers"
4 - 5.
Match User jail
        ChrootDirectory /ftproot/data
        ForceCommand internal-sftp
        AllowTcpForwarding no


PSFTP gives access denied for the user "jail"
open 10.0.0.27
login as: jail
jail@10.0.0.27's password:
Access denied

FireFTP shows:
Connected
Authentication successful (password)
Secsh channel 1 opened
Opened sftp connection (server version 3)
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Remains this:

5) sshd_config contains an entry "Subsystem       sftp    internal-sftp"

This is not the "force" directive inside the "Match" block, it's an entry of its own!
0
 

Author Comment

by:snowdog_2112
Comment Utility
I also just tried WinSCP's sftp client and get a "Permission denied" error.

So, it seems like FireFTP is probably failing too, but just not reporting it correctly.

Can you list out the commands I should use to correctly add the user, then create and set up the directory structure with proper permissions (or do I have to have the directory tree set up before creating the user account)?  It "feels" like that is where the issue is, but I'm not linux-versed enough to know where I botched it.

Thanks again so much for your help!
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Did you see my previous comment?

Besides that, I'm sure that the commands you used are all correct.

The user must be created first, and that's what you did, otherwise the "chown" commands would have failed.

You could of course post the output of:

ls -ld /ftproot
ls -ld /ftproot/data
ls -ld /ftproot/data/ftproot
ls -ld /ftproot/data/ftproot/data

id jail
grep jail /etc/passwd

grep sftp /etc/ssh/sshd_config

so I can verify the settings.
0
 

Author Comment

by:snowdog_2112
Comment Utility
Update:
I am getting logged in, and I get dumped /ftproot/data

In both cases, I cannot navigate into the /ftproot
For kicks, I changed the permissions and owner on the first-level data folder to the jailed user

/
  /ftproot   <-- root:root
    /data    <-- jail:sftpusers  <--sftp clients dump me here as "/"
      /ftproot  <--jail:sftpusers  <-- I was expecting to be dropped here.
        /data    <--jail:sftpusers  

Open in new window

0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
If you have this in sshd_config:

ChrootDirectory /ftproot/data

then /ftproot and /ftproot/data must be owned and writeable by root only.

The "ChrootDirectory" is (as its denomination implies) your new root, so of course /ftproot/data is your "/" now, and you cannot go any higher. That's what "chroot" is meant for.

You must carefully distinguish between what you see with "pwd" when logged in via sftp as opposed to what you see with a non-chrooted login.

When in your chroot jail you must in your mind always add "/ftproot/data" in front of what you see with "pwd" to know your "real" environment.
0
 

Author Comment

by:snowdog_2112
Comment Utility
Something is still not working.

With /ftproot/data owned and writeable by root only, I cannot even get logged on.

If I change the data folder, I can log in and see the files, but not put or get from the /ftproot/data folder (what should really be the data folder - where the files are supposed to go).  I am able to navigate into the second-level ftproot folder (i.e., /ftproot/data/ftproot) and put/get.

So, I am seeing everything below /ftproot, but can put/get only in the "copy" of that folder structure.

And I'm confused.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Did you read my last comment carefully?

You will never see /ftproot/data, because /ftproot/data/ is your root.
0
 

Author Comment

by:snowdog_2112
Comment Utility
I have read your responses several times - I appreciate the time you have taken to post detailed information.

I am going to run through the setup steps on a clean OS, just to rule out something funky with anything I'd already done.   I will post back the results.
0
 

Author Comment

by:snowdog_2112
Comment Utility
argh....this is frustrating.  New server, no vsftpd installed (just to be sure).  I walked through the commands as best I can, and now I can't even log on with the sftp client.

I hate to trouble you, but can you walk through the command assuming no previous configuration.  Most guides talk about changing owner and permissions but don't detail the commands (again - 'nix n00b here, I'm a Windows guys by trade)

user: jail
password: 123456
group: sftpusers (no other members but "jail")
home dir: /home/jail
ftp files need to be in: /ftproot/data
sshd_config:                  
  #Subsystem      sftp    /usr/libexec/openssh/sftp-server
  Subsystem       sftp    internal-sftp

Match Group sftpusers
   ChrootDirectory ??????????  
   ForceCommand internal-sftp
   AllowTcpforwarding no
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
>> ftp files need to be in: /ftproot/data <<

This is the key. You want to have access to this directory, which means that the ChrootDirectory must be "/ftproot" and the user's home directory must be "/data" (sic!!).

This implies, however, that the user "jail" can see all the other directories under "/ftproot".

Explanation:

 "ChrootDirectory /ftproot" forces sftp to place the user into "/ftproot" first, making this directory appear to the user as "/". Next, the user is placed into their home directory, which is "/data" relative to "/ftproot". So the user sees this directory as "/data", but it's indeed "/ftproot/data"!

I'll repeat it: The user will not see it as "/ftproot/data", they will see this directory as "/data"!

A consequence of the above is that the user can successfully issue "cd .." or "cd /" which will place them into "/ftproot". The user sees this as "/" then, just to make it clear again.

Should there be other subdirectories than just "data" under "/ftproot" then the user will notice their presence, and if they're also owned and writeable by group "sftpusers" the user "jail" will get full access to them.

To implement the above:

- Change the home of jail to "/data":

usermod -d /data jail

- Set in sshd_config:

ChrootDirectory /ftproot

- Restart sshd

- Create "/ftproot" and set ownership/perms:

mkdir /ftproot
chown root /ftproot
chmod u+w /ftproot
chmod og-w /ftproot

- Create the "data" directory, set user, group and perms:

mkdir /ftproot/data
chown jail:sftpusers /ftproot/data
chmod u+w /ftproot

In this last command you can also use "ug+w" which will additionally make the "data" directory writeable by group "sftpusers".


Now it should work. Don't hesitate to ask for more assistance if you have trouble with all the above.
0
 

Author Comment

by:snowdog_2112
Comment Utility
Thanks for the immense detail!!!!
I've read through this, but not able to test it out yet.  Will post back.
0
 

Author Comment

by:snowdog_2112
Comment Utility
Still getting "access denied" when logging in using WinSCP sftp.  Also, an sftp jail@127.0.0.1 from the ssh session itself gives a "couldn't get handle" when trying an "ls"

Your statement:
- Set in sshd_config:

ChrootDirectory /ftproot

Are you talking about the ChrootDirectory in the "Match User" section or the general section?
I assume the Match User seccion, but I have tried it in both - the general section prevents me from SSH'ing even as root.

Also, in this block, I wasn't sure if the last line was supposed to be /ftproot/data or just /ftproot.  I've tried it both ways - access denied both ways.


mkdir /ftproot/data
chown jail:sftpusers /ftproot/data
chmod u+w /ftproot
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
1) That's meant to be put inside the Match block.

2) Sorry for the typo, it's of course chmod u+w /ftproot/data

3) Errors with "ls" are most often an indication that "Subsystem       sftp    internal-sftp" is not set in sshd_config (outside the Match block!).

I don't have any explanation for the "access denied" thing, sorry.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
OK,

now I reproduced the suggested setup on a clean machine here, and everything works just fine.

I can transfer files by means of sftp (Linux and AIX), psftp (Windows) and Winscp (Windows, in sftp mode without the "scp" fallback option).

So I can only suggest again what I already suggested above:

Please post the output of

ls -ld /ftproot
ls -ld /ftproot/data

id jail
grep jail /etc/passwd
grep sftpusers /etc/group

grep sftp /etc/ssh/sshd_config

grep -i -A 10 "Match Group sftpusers" /etc/ssh/sshd_config

grep  Protocol /etc/ssh/sshd_config


so I could check your setup.

FYI, here are the results of the above commands as obtained from my machine, plus a bit output from sftp testing::

#ls -ld /ftproot
drwxr-xr-x    4 root     system         256 Feb 15 09:27 /ftproot/

#ls -ld /ftproot/data
drwxr-xr-x    2 jail     sftpusers      256 Feb 15 09:47 /ftproot/data/

#id jail
uid=205(jail) gid=202(sftpusers) groups=1(staff)

#grep jail /etc/passwd
jail:!:205:202::/data:/usr/bin/ksh

#grep sftpusers /etc/group
sftpusers:!:202:jail


#grep sftp /etc/ssh/sshd_config
Subsystem       sftp    internal-sftp
        ForceCommand internal-sftp

#grep -i -A 10 "Match Group sftpusers" /etc/ssh/sshd_config
Match group sftpusers
        ChrootDirectory /ftproot
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

#grep Protocol /etc/ssh/sshd_config
Protocol 2,1

#sftp jail@localhost
jail's Password:
Connected to localhost.
sftp> pwd
Remote working directory: /data
sftp> cd ..
sftp> pwd
Remote working directory: /
sftp> cd data
sftp> pwd
Remote working directory: /data
sftp> ls
xxx
sftp> ls -l
-rw-r--r--    1 jail     sftpusers        0 Feb 15 09:21 xxx
sftp> put testfile
Uploading testfile to /data/testfile
testfile                                  100%   724     0.7KB/s   00:00
sftp> ls -l
-rw-r--r--    1 jail     sftpusers        0 Feb 15 09:21 xxx
-rw-r--r--    1 jail     sftpusers      724 Feb 15 09:39 testfile
sftp> exit

#ls -l /ftproot/data
-rw-r--r--    1 jail     sftpusers        0 Feb 15 09:21 xxx
-rw-r--r--    1 jail     sftpusers      724 Feb 15 09:39 testfile

Open in new window

0
 

Author Comment

by:snowdog_2112
Comment Utility
Everything matches except the end result.  Get "access denied" from WinSCP and the results below from the console.

[root@host01 /]# ls -ld /ftproot
drwxr-xr-x. 3 root root 4096 Feb 18 09:25 /ftproot

[root@host01 /]# ls -ld /ftproot/data
drwxrwxr-x. 2 jail ftpusers 4096 Feb 18 09:25 /ftproot/data

[root@host01 /]# id jail
uid=500(jail) gid=501(ftpusers) groups=501(ftpusers)

[root@host01 /]# grep jail /etc/passwd
jail:x:500:501::/data:/bin/bash


[root@host01 /]# grep jail /etc/group
jail:x:500:
ftpusers:x:501:jail

[root@host01 /]# grep sftp /etc/ssh/sshd_config
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp
        ForceCommand internal-sftp

[root@host01 /]# grep -i -A 10 "Match User jail" /etc/ssh/sshd_config
Match User jail
        ChrootDirectory /ftproot
        ForceCommand internal-sftp
        AllowTcpforwarding no
        X11Forwarding no


[root@host01 /]# grep Protocol /etc/ssh/sshd_config
Protocol 2,1

[root@host01 /]# sftp jail@localhost
Connecting to localhost...
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
jail@localhost's password:
sftp> pwd
Remote working directory: /data
sftp> cd ..
sftp> pwd
Remote working directory: /
sftp> ls
Couldn't get handle: Permission denied
sftp>

Open in new window

0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The only possible thing I can think of is that your WinSCP configuration is trying to start in a directory to which you have no access.

Can you post an image of winscp before you make the connection attempt?
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Last option I can think of for the moment is SELinux.

Check with "sestatus".

Here is how to disbale/enable it:
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html

Chapters 44-46 of the above guide have the complete info about Security and SELinux:
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/selg-overview.html
0
 

Author Comment

by:snowdog_2112
Comment Utility
Do you mean a local directory on the source host (i.e., the Windows box)?  

I'm also getting the "couldn't get handle" error running sftp from and SSH session to the host (logged in ssh as root, then sftp jail@localhost).

Here is the log from the WinSCP attempt - more detail than the screenshot.  (I've tried changing settings in WinSCP and get different types of errors, but given that sftp from the local console also gives an error, I don't think it's a WinSCP problem...or at least not *only* a WinSCP problem).

. 2013-02-18 09:58:25.534 Looking up host "10.0.0.31" (IPv4)
. 2013-02-18 09:58:25.534 Connecting to 10.0.0.31 port 22
. 2013-02-18 09:58:25.535 Selecting events 63 for socket 1092
. 2013-02-18 09:58:25.582 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.582 Looking for incoming data
. 2013-02-18 09:58:25.582 Looking for network events
. 2013-02-18 09:58:25.582 Detected network event
. 2013-02-18 09:58:25.582 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.582 Enumerated 19 network events making 19 cumulative events for socket 1092
. 2013-02-18 09:58:25.582 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.582 Server version: SSH-1.99-OpenSSH_5.3
. 2013-02-18 09:58:25.582 Using SSH protocol version 2
. 2013-02-18 09:58:25.582 We claim version: SSH-2.0-WinSCP_release_5.1.2
. 2013-02-18 09:58:25.582 Handling network write event on socket 1092 with error 0
. 2013-02-18 09:58:25.582 Handling network connect event on socket 1092 with error 0
. 2013-02-18 09:58:25.582 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.582 Looking for incoming data
. 2013-02-18 09:58:25.582 Looking for network events
. 2013-02-18 09:58:25.583 Detected network event
. 2013-02-18 09:58:25.583 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.583 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.583 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.583 Doing Diffie-Hellman group exchange
. 2013-02-18 09:58:25.583 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.583 Looking for incoming data
. 2013-02-18 09:58:25.583 Looking for network events
. 2013-02-18 09:58:25.585 Detected network event
. 2013-02-18 09:58:25.585 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.585 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.585 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.585 Doing Diffie-Hellman key exchange with hash SHA-1
. 2013-02-18 09:58:25.655 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.655 Looking for incoming data
. 2013-02-18 09:58:25.655 Looking for network events
. 2013-02-18 09:58:25.660 Detected network event
. 2013-02-18 09:58:25.660 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.660 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.660 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.761 Verifying host key rsa2 0x23,0xd765bf1043aa74f8b94190e571d5964d354a4d79c0a298fdca6cdf2b13279cf359e1bd786337b61dcb23970d00cd6a6f8c663143e0810f2f1dcc8ca0b8562cc0b78137ad0ea77881def938894047dffd23832ea53ad313a4473e3ee75b09fb0030d222fbdc0e147087cee07db1d9fc2acdf1a5a5b981d2d2f9bdef965ee8895a065ba640f8ede969a57bb4d0f0122cafa108308c30701f011eece17916b32c69a59293d09719c4c94ca8299fb92294257c380443eae682fc86e06d3569a4dc4f5a971586eb7632549c817d16add8bcb8d57b6b365da140b4f7f18e28288dec499be5ac324064e5a0555a3cd2ce8671a78ebbf4656171c84984b098020a7924a3 with fingerprint ssh-rsa 2048 81:c7:79:e9:14:17:00:39:9a:f6:0b:64:2d:56:2b:94
. 2013-02-18 09:58:25.788 Host key matches cached key
. 2013-02-18 09:58:25.788 Selecting events 63 for socket 1092
. 2013-02-18 09:58:25.788 Host key fingerprint is:
. 2013-02-18 09:58:25.788 ssh-rsa 2048 81:c7:79:e9:14:17:00:39:9a:f6:0b:64:2d:56:2b:94
. 2013-02-18 09:58:25.788 Initialised AES-256 SDCTR client->server encryption
. 2013-02-18 09:58:25.788 Initialised HMAC-SHA1 client->server MAC algorithm
. 2013-02-18 09:58:25.788 Initialised AES-256 SDCTR server->client encryption
. 2013-02-18 09:58:25.788 Initialised HMAC-SHA1 server->client MAC algorithm
. 2013-02-18 09:58:25.788 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.788 Looking for incoming data
. 2013-02-18 09:58:25.788 Looking for network events
. 2013-02-18 09:58:25.824 Detected network event
. 2013-02-18 09:58:25.824 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.824 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.824 Handling network read event on socket 1092 with error 0
! 2013-02-18 09:58:25.824 Using username "jail".
. 2013-02-18 09:58:25.836 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.836 Looking for incoming data
. 2013-02-18 09:58:25.836 Looking for network events
. 2013-02-18 09:58:25.837 Detected network event
. 2013-02-18 09:58:25.837 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.837 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.837 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.837 Prompt (7, SSH password, , &Password: )
. 2013-02-18 09:58:25.837 Using stored password.
. 2013-02-18 09:58:25.884 Sent password
. 2013-02-18 09:58:25.884 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.884 Looking for incoming data
. 2013-02-18 09:58:25.884 Looking for network events
. 2013-02-18 09:58:25.898 Detected network event
. 2013-02-18 09:58:25.898 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.898 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.899 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.899 Access granted
. 2013-02-18 09:58:25.899 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.899 Looking for incoming data
. 2013-02-18 09:58:25.899 Looking for network events
. 2013-02-18 09:58:25.954 Detected network event
. 2013-02-18 09:58:25.954 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.954 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.954 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.954 Opened channel for session
. 2013-02-18 09:58:25.954 Waiting for the server to continue with the initialisation
. 2013-02-18 09:58:25.954 Looking for incoming data
. 2013-02-18 09:58:25.954 Looking for network events
. 2013-02-18 09:58:25.957 Detected network event
. 2013-02-18 09:58:25.957 Enumerating network events for socket 1092
. 2013-02-18 09:58:25.957 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:25.957 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:25.957 Started a shell/command
. 2013-02-18 09:58:25.976 --------------------------------------------------------------------------
. 2013-02-18 09:58:25.976 Using SFTP protocol.
. 2013-02-18 09:58:25.976 Doing startup conversation with host.
. 2013-02-18 09:58:25.976 Session upkeep
. 2013-02-18 09:58:25.977 Looking for network events
. 2013-02-18 09:58:25.977 Timeout waiting for network events
> 2013-02-18 09:58:26.023 Type: SSH_FXP_INIT, Size: 5, Number: -1
> 2013-02-18 09:58:26.023 01,00,00,00,05,
. 2013-02-18 09:58:26.023 Sent 9 bytes
. 2013-02-18 09:58:26.023 There are 0 bytes remaining in the send buffer
. 2013-02-18 09:58:26.023 Looking for network events
. 2013-02-18 09:58:26.023 Timeout waiting for network events
. 2013-02-18 09:58:26.024 Waiting for another 4 bytes
. 2013-02-18 09:58:26.024 Looking for incoming data
. 2013-02-18 09:58:26.024 Looking for network events
. 2013-02-18 09:58:26.024 Detected network event
. 2013-02-18 09:58:26.024 Enumerating network events for socket 1092
. 2013-02-18 09:58:26.024 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:26.024 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:26.024 Received 99 bytes (0)
. 2013-02-18 09:58:26.024 Read 4 bytes (95 pending)
. 2013-02-18 09:58:26.024 Read 95 bytes (0 pending)
< 2013-02-18 09:58:26.024 Type: SSH_FXP_VERSION, Size: 95, Number: -1
< 2013-02-18 09:58:26.024 02,00,00,00,03,00,00,00,18,70,6F,73,69,78,2D,72,65,6E,61,6D,65,40,6F,70,65,
< 2013-02-18 09:58:26.024 6E,73,73,68,2E,63,6F,6D,00,00,00,01,31,00,00,00,13,73,74,61,74,76,66,73,40,
< 2013-02-18 09:58:26.024 6F,70,65,6E,73,73,68,2E,63,6F,6D,00,00,00,01,32,00,00,00,14,66,73,74,61,74,
< 2013-02-18 09:58:26.024 76,66,73,40,6F,70,65,6E,73,73,68,2E,63,6F,6D,00,00,00,01,32,
. 2013-02-18 09:58:26.024 SFTP version 3 negotiated.
. 2013-02-18 09:58:26.024 Unknown server extension posix-rename@openssh.com="1"
. 2013-02-18 09:58:26.024 Unknown server extension statvfs@openssh.com="2"
. 2013-02-18 09:58:26.024 Unknown server extension fstatvfs@openssh.com="2"
. 2013-02-18 09:58:26.024 We believe the server has signed timestamps bug
. 2013-02-18 09:58:26.024 We will use UTF-8 strings for status messages only
. 2013-02-18 09:58:26.024 Limiting packet size to OpenSSH sftp-server limit of 262148 bytes
. 2013-02-18 09:58:26.070 Changing directory to "/".
. 2013-02-18 09:58:26.070 Getting real path for '/'
> 2013-02-18 09:58:26.070 Type: SSH_FXP_REALPATH, Size: 10, Number: 3856
> 2013-02-18 09:58:26.070 10,00,00,0F,10,00,00,00,01,2F,
. 2013-02-18 09:58:26.070 Sent 14 bytes
. 2013-02-18 09:58:26.070 There are 0 bytes remaining in the send buffer
. 2013-02-18 09:58:26.070 Looking for network events
. 2013-02-18 09:58:26.070 Timeout waiting for network events
. 2013-02-18 09:58:26.070 Waiting for another 4 bytes
. 2013-02-18 09:58:26.070 Looking for incoming data
. 2013-02-18 09:58:26.070 Looking for network events
. 2013-02-18 09:58:26.070 Detected network event
. 2013-02-18 09:58:26.070 Enumerating network events for socket 1092
. 2013-02-18 09:58:26.070 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:26.070 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:26.070 Received 27 bytes (0)
. 2013-02-18 09:58:26.070 Read 4 bytes (23 pending)
. 2013-02-18 09:58:26.070 Read 23 bytes (0 pending)
< 2013-02-18 09:58:26.070 Type: SSH_FXP_NAME, Size: 23, Number: 3856
< 2013-02-18 09:58:26.070 68,00,00,0F,10,00,00,00,01,00,00,00,01,2F,00,00,00,01,2F,00,00,00,00,
. 2013-02-18 09:58:26.070 Real path is '/'
. 2013-02-18 09:58:26.070 Trying to open directory "/".
> 2013-02-18 09:58:26.070 Type: SSH_FXP_LSTAT, Size: 10, Number: 4103
> 2013-02-18 09:58:26.070 07,00,00,10,07,00,00,00,01,2F,
. 2013-02-18 09:58:26.070 Sent 14 bytes
. 2013-02-18 09:58:26.070 There are 0 bytes remaining in the send buffer
. 2013-02-18 09:58:26.070 Looking for network events
. 2013-02-18 09:58:26.070 Timeout waiting for network events
. 2013-02-18 09:58:26.070 Waiting for another 4 bytes
. 2013-02-18 09:58:26.070 Looking for incoming data
. 2013-02-18 09:58:26.070 Looking for network events
. 2013-02-18 09:58:26.070 Detected network event
. 2013-02-18 09:58:26.070 Enumerating network events for socket 1092
. 2013-02-18 09:58:26.070 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:26.070 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:26.071 Received 41 bytes (0)
. 2013-02-18 09:58:26.071 Read 4 bytes (37 pending)
. 2013-02-18 09:58:26.071 Read 37 bytes (0 pending)
< 2013-02-18 09:58:26.071 Type: SSH_FXP_ATTRS, Size: 37, Number: 4103
< 2013-02-18 09:58:26.071 69,00,00,10,07,00,00,00,0F,00,00,00,00,00,00,10,00,00,00,00,00,00,00,00,00,
< 2013-02-18 09:58:26.071 00,00,41,ED,51,22,47,8F,51,22,47,CD,
. 2013-02-18 09:58:26.071 Getting current directory name.
. 2013-02-18 09:58:26.207 Listing directory "/".
> 2013-02-18 09:58:26.207 Type: SSH_FXP_OPENDIR, Size: 10, Number: 4363
> 2013-02-18 09:58:26.207 0B,00,00,11,0B,00,00,00,01,2F,
. 2013-02-18 09:58:26.207 Sent 14 bytes
. 2013-02-18 09:58:26.207 There are 0 bytes remaining in the send buffer
. 2013-02-18 09:58:26.207 Looking for network events
. 2013-02-18 09:58:26.207 Timeout waiting for network events
. 2013-02-18 09:58:26.207 Waiting for another 4 bytes
. 2013-02-18 09:58:26.207 Looking for incoming data
. 2013-02-18 09:58:26.207 Looking for network events
. 2013-02-18 09:58:26.207 Detected network event
. 2013-02-18 09:58:26.207 Enumerating network events for socket 1092
. 2013-02-18 09:58:26.207 Enumerated 1 network events making 1 cumulative events for socket 1092
. 2013-02-18 09:58:26.207 Handling network read event on socket 1092 with error 0
. 2013-02-18 09:58:26.207 Received 38 bytes (0)
. 2013-02-18 09:58:26.207 Read 4 bytes (34 pending)
. 2013-02-18 09:58:26.207 Read 34 bytes (0 pending)
< 2013-02-18 09:58:26.207 Type: SSH_FXP_STATUS, Size: 34, Number: 4363
< 2013-02-18 09:58:26.207 65,00,00,11,0B,00,00,00,03,00,00,00,11,50,65,72,6D,69,73,73,69,6F,6E,20,64,
< 2013-02-18 09:58:26.207 65,6E,69,65,64,00,00,00,00,
< 2013-02-18 09:58:26.207 Status code: 3, Message: 4363, Server: Permission denied, Language:  
* 2013-02-18 09:58:26.299 (ECommand) Error listing directory '/'.
* 2013-02-18 09:58:26.299 Permission denied.
* 2013-02-18 09:58:26.299 Error code: 3
* 2013-02-18 09:58:26.299 Error message from server: Permission denied
* 2013-02-18 09:58:26.299 Request code: 11
. 2013-02-18 09:58:27.199 Session upkeep
. 2013-02-18 09:58:27.199 Looking for network events
. 2013-02-18 09:58:27.199 Timeout waiting for network events
. 2013-02-18 09:58:28.099 Session upkeep
. 2013-02-18 09:58:28.099 Looking for network events
. 2013-02-18 09:58:28.099 Timeout waiting for network events
. 2013-02-18 09:58:28.999 Session upkeep
. 2013-02-18 09:58:28.999 Looking for network events
. 

Open in new window

0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You are trying to access / and listing the contents which is when the error is seen.
0
 

Author Comment

by:snowdog_2112
Comment Utility
I assumed the "default" client setting would drop me into the chroot directory.  I tried changing the startup directory in the sftp client to /data and that gives me the same "access denied".  If I use "data" (no slash), it gives "no such file or direcotry".  I also tried "."

I must be missing something super simple, but I have no idea what or where to even look.

I tried a clean OS install with no other applications, and get the same results.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
no way for me to know whether you should use /jail?
0
 

Author Comment

by:snowdog_2112
Comment Utility
do I have any other options at this point?  I've followed every instruction to the letter without success.  I've tried variations and tweaking, without success.  Different servers - even a clean OS install with nothing else.

I don't know where else to go with this - unless someone can walk through the exact commands 100% start to finish, and I copy/paste them.  

Thanks again so much for your help thus far!
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
Comment Utility
OK, so let's start over.

Do you have a clean system available with nothing else than a fresh OpenSSH (server and client) installation?

If you don't, please take your existing machine and remove the "/ftproot" directory and everything below it and remove the user "jail" and the group "ftpusers", and try to get back the default sshd_config and ssh_config files, maybe from a backup, or deinstall/reinstall OpenSSH.

Once such a system is available proceed (as root) like this:

- Create user and group

groupadd ftpusers

useradd -g ftpusers -d /data jail


-- set a password for "jail" when prompted:

passwd jail

-- Now log in as jail and set a new password when prompted, then log out as jail, log in as root.

- Create directories/set permissions

mkdir /ftproot
chown root /ftproot
chmod go-w /ftproot

mkdir /ftproot/data
chown jail:ftpusers /ftproot/data
chmod o-w /ftproot/data


- Modify /etc/ssh/sshd_config

Open the file using a Unix editor of your choice (e.g. vi) and

-- change

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

to

Subsystem       sftp    internal-sftp

-- make sure that the below entry is present

Protocol 2,1

-- add at the very end of sshd_config

Match User jail
        ChrootDirectory /ftproot
        ForceCommand internal-sftp
        AllowTcpforwarding no
        X11Forwarding no


- Check /etc/ssh/ssh_config

-- make sure that this entry is present under a "Host *" stanza:

Protocol 2

- Restart sshd or reboot the machine.

---------------------------

Tests:

- Create a file in your current directory named "testfile"

echo "This is the sftp chroot test file" > testfile

- Run the following commands:

sftp jail@localhost

You should see (enter the password when prompted):

Connecting to localhost...
jail's Password:
sftp>

sftp> pwd

You should see:

Remote working directory: /data
sftp>

sftp> put testfile

You should see:

Uploading testfile to /data/testfile
testfile                                                            100%   34     0.0KB/s   00:00    
sftp>


sftp> ls

You should see:

testfile
sftp>

sftp> ls -l

You should see:

-rw-r--r--    1 jail     sftpusers       34 Feb 22 11:51 testfile
sftp>

sftp> exit

You should see your shell prompt.

[root@host01 /]#

Now issue:

ls -l /ftproot/data

You should see:

total 8
-rw-r--r--    1 jail     sftpusers       34 Feb 22 11:51 testfile
---------------------------

The above is exactly what I did on a clean machine, including the tests which worked perfectly.

ssh -V on that machine gives:

OpenSSH_5.8p1, OpenSSL 0.9.8r 8 Feb 2011
---------------------------
Good luck!

wmp
0
 

Author Comment

by:snowdog_2112
Comment Utility
Was off on another set of issues - so I'm just getting back to this.  I'll walk it through on another clean OS install and report back.  Thanks again so much for your persistence!
0
 

Author Comment

by:snowdog_2112
Comment Utility
Could this be an issue with OpenSSH_5.3p1?

ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
OpenSSH 5.3 supports chrooting, yet it's one of the first, if not the very first version to support it.

Did you check SELinux as I pointed out in my comment [url="http://www.experts-exchange.com/Security/Operating_Systems_Security/Linux/Q_28017145.html#a38902085"|38902085[/url] above?
0
 

Author Closing Comment

by:snowdog_2112
Comment Utility
Thank you so much for your persistence on this!  It's an awful lot of work for 500 points.  I can ask it again and give you another 500!
0
 

Author Comment

by:snowdog_2112
Comment Utility
Update: I went back to the original system that was giving me problems and did *NOT* disable selinux (it is set to "permissive") and the procedure you outlined also works.

Could it be a difference in the chmod/chown commands?
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now