create sftp account
Dears
i create sftp account toward one directory see below:
[root@NACAPP1S ~]# groupadd sftpusers
[root@NACAPP1S ~]# useradd -g sftpusers -d /conf -s /sbin/nologin mtsftp
[root@NACAPP1S ~]#
[root@NACAPP1S ~]# passwd mtsftp
Changing password for user mtsftp.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@NACAPP1S ~]#
[root@NACAPP1S ~]#
[root@NACAPP1S ~]# grep mtsftp /etc//passwd
mtsftp:x:500:500::/conf:/sbin/nologin
[root@NACAPP1S ~]#
i added this lines to /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /opt/na/%u
ForceCommand internal-sftp
i put comment out to
#Subsystem sftp /usr/libexec/openssh/sftp-server
[root@NACAPP1S ~]# mkdir /opt/na/telephoneInerface
[root@NACAPP1S ~]# mkdir /opt/na/telephoneInerface/conf
[root@NACAPP1S ~]# chown mtsftp:sftpusers /opt/na/telephoneInerface/conf
[root@NACAPP1S ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
but when i want to connect from an other server in the same address range ( from which i can access to vua ssh), i receive this message
[root@NACAPP2P ~]# sftp mtsftp@10.80.214.106
Connecting to 10.80.214.106...
mtsftp@10.80.214.106's password:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
[root@NACAPP2P ~]#
please could you help me
Responses
Which OS version are you using for the SFTP server?
Since your real /etc/passwd is specifying the home directory of the mtsftp user as /conf, you'll probably need to create a symbolic link like this:
ln -s /opt/na/mtsftp/conf /conf
... so that the user's home directory path as specified in /etc/passwd will be "true" both within the chroot and without.
Also, you really should review the messages logged by sshd at the time you made the failed sftp connection attempt (see both /var/log/secure and /var/log/messages). It is likely that sshd has logged the reason why it aborted the connection.
(No, sshd won't send that information to the as-yet unauthenticated client - if the client is a bad guy trying something that's not going to work anyway, it's better if the bad guy stays unaware and wastes his/her time in useless attempts. A legitimate user can get the error information by contacting the server administrator.)
I've now tested by following exactly your procedure in your initial post. A login attempt will result in an error message in /var/log/secure:
<timestamp> <hostname> sshd[<PID number>] fatal: safely_chroot: stat("/opt/na/mtsftp"): No such file or directory
and indeed you did not create such a directory.
The sshd_config snippet
Match Group sftpusers
ChrootDirectory /opt/na/%u
ForceCommand internal-sftp
means: "for every user that is in sftpusers group, chroot them into /opt/na/<username> and force them to use the SFTP only, using the internal-sftp functionality". If /opt/na/mtsftp does not exist, then user mtsftp's SFTP connection attempt will fail. And if your intention is to allow access to /opt/na/telephoneInerface/conf only, this is not what you want anyway.
If you want to chroot only the mtsftp user, and set the chroot directory as /opt/na/telephoneInerface/conf, you should tell it exactly what you want instead:
Match User mtsftp
ChrootDirectory /opt/na/telephoneInerface/conf
ForceCommand internal-sftp
Use this instead of the previous sshd_config snippet, and it will work.
Ensure that the parent directory "/opt/na/telephoneInerface" is owned by root and does not offer group-writable permissions. This is a necessary restriction imposed by the ChrootDirectory parameter of sshd.
chown root:root /opt/na/telephoneInerface
chmod go-w /opt/na/telephoneInerface
chown mtsftp:sftpusers /opt/na/telephoneInerface/conf
chmod ug+rwX /opt/na/telephoneInerface/conf
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
