Using the new chroot jail SFTP server in OpenSSH 5.1

user warning: Table './drinking_drpl2/watchdog' is marked as crashed and last (automatic?) repair failed query: INSERT INTO watchdog (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (0, 'flickr', 'Could not connect to Flickr, Error: Forbidden', 'a:0:{}', 4, '', 'http://rothwerx.com/content/using-new-chroot-jail-sftp-server-openssh-51', '', '54.80.175.56', 1498331432) in /home1/drinking/public_html/rothwerx/modules/dblog/dblog.module on line 146.

Jeremiah - Posted on 20 November 2008

It seems like a fairly common occurrence that I'm asked to set up a secure FTP server for one reason or another. Typically I use vsftp and lock it down pretty well. As a plain-jane FTP server, vsftp is pretty good. But the FTP protocol itself doesn't have the encrypted transfer capabilities that I'd like to see. OpenSSH 5.1 has a new "internal-sftp" server which allows you to deny shell access to SFTP users as well as put them in a kind of chroot jail. It's exactly what I need, and pretty easy to set up though it's not without its gotchas. I'm running it on a Debian 4.0 (Etch) machine, but it'll compile on many UNIX-y platforms.
 
My needs are simple, so I built it with few options:
$ ./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
$ make
 
$ sudo make install
 
Now I need to edit the end of the sshd_config file in /etc/ssh/:
Subsystem sftp internal-sftp # These lines must appear at the *end* of the sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
 
Now I just restart the ssh service and I'm in business. Of course I have to create user accounts to utilize the SFTP server:
# Create the sftponly group that will ensure they're chrooted at login 
groupadd sftponly
# Create a new user with no interactive shell and put them in my 'sftponly' group.
useradd -s /bin/false -m -d /home/sftpfred -c "Fred SFTP" -g sftponly sftpfred
 
# Create a password for the new user
passwd sftpfred
 
# The internal-sftp server checks all directories leading up to the users home directory to ensure it's owned by root (see here: www.tenshu.net)
chown root /home/sftpfred
 
# In order for the user to upload content they'll need a directory with the proper permissions
mkdir -m 755 /home/sftpfred/upload
 
# Then we just need to make sure the ownership of that directory is copacetic
chown sftpfred /home/sftpfred/upload
 
The problem I ran into was not having the users' home directory owned by root. I got this error in my auth.log:
Nov 18 12:13:34 debian-server sshd[17292]: fatal: bad ownership or modes for chroot directory "/home/sftpfred"
 
These wind up being my permissions:
# For the home directory
drwxr-xr-x 3 root sftponly       4096 Nov 18 13:55 sftpfred/
# And for the upload directory
drwxr-xr-x 2 sftpfred root 4096 Nov 18 13:56 upload
 
Now I just test that I can't log in with an interactive shell for that account, and that I can upload to the ~/upload directory using sftp:
ssh sftpfred@debian-server sftp sftpfred@debian-server
 
Besides www.tenshu.net, another great reference for me was this site: www.minstrel.org.uk