Introduction

In a previous article we demonstrated the process involved in configuring a chrooted sftp account on a Linux system.
Although the process is fairly straightforward you might face issues during the setup if you do not follow the steps exactly to the tee or if you are consulting multiple sources. In this article, we’ll describe three common troubleshooting scenarios due to which your chrooted sftp configuration might fail.

Scenario 1: Incorrect ownership and permissions:
A chrooted setup demands that the user home directory must be owned by root. Let us consider the user we tested in our previous article. The user name was sahil for which the chrooted home directory was /chroots/sahil/ and the directory accessible to the user as it’s home directory was /chroots/sahil/myhome. For the setup to work correctly the directory /chroots/sahil/ should be root owned.  In case the owner of the chrooted home directory is the user itself as shown below then the setup will not work:

[root@linuxnix ~]# ls -ld /chroots/sahil/
drwxr-xr-x. 3 sahil root 4096 Jul 19 22:42 /chroots/sahil/
[root@linuxnix ~]#

If we try to login as the user sahil using sftp we face the following error:

[root@linuxnix ~]# sftp sahil@linuxnix
Connecting to linuxnix...
sahil@linuxnix's password:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
[root@linuxnix ~]#

If we take a look at the /var/log/secure file we’ll find the following error message logged for our login attempt:

Jul 20 06:48:14 linuxnix sshd[4952]: Accepted password for sahil from 192.168.19.128 port 44703 ssh2
Jul 20 06:48:14 linuxnix sshd[4952]: pam_unix(sshd:session): session opened for user sahil by (uid=0)
Jul 20 06:48:14 linuxnix sshd[4956]: fatal: bad ownership or modes for chroot directory "/chroots/sahil"
Jul 20 06:48:14 linuxnix sshd[4952]: pam_unix(sshd:session): session closed for user sahil
[root@linuxnix ~]#

The credentials we supplied were correct but we were denied login due to bad ownership since the chrooted home directory /chroots/sahil was not owned by root.

Another common step we are familiar with while creating user accounts is that the users’ home directory must not be accessible by others. But in case of a chrooted sftp setup if the home directory /chroots/sahil or /home/sahil is not accessible to others then the user itself will not have permissions to perform any action. To demonstrate I setup the permissions of the directory /chroots/sahil/ to 750.

[root@linuxnix ~]# ls -ld /chroots/sahil/
drwxr-x---. 3 root root 4096 Jul 19 22:42 /chroots/sahil/
[root@linuxnix ~]#

Now when I try to login as the user sahil, I’m able to do so but I get a permission denied error when I execute the ls command:

[root@linuxnix ~]# sftp sahil@linuxnix
Connecting to linuxnix...
sahil@linuxnix's password:
sftp> ls
Couldn't get handle: Permission denied
sftp> pwd
Remote working directory: /
sftp> ^D

Scenario 2: SELinux is enabled
In case you have SELinux running in enforcing mode you will need to run the below command to allow users to be able to write into their chrooted home directories:

# setsebool -P ssh_chroot_rw_homedirs on

If you do not execute the above command then you’ll get permission denied errors if you run any command durng your sftp session.

[root@linuxnix ~]# sftp sahil@linuxnix
Connecting to linuxnix...
sahil@linuxnix's password:
sftp> ls
Couldn't get handle: Permission denied
sftp> ls
Couldn't get handle: Permission denied
sftp> pwd
Remote working directory: /myhome
sftp> ^D

The alternative to this would be disabling SELinux altogether which is not recommended.

Scenario 3: Chroot configuration in /etc/ssh/sshd_config file
One is likely to run into this if they are using multiple sources/guides/tutorials for setting up their chroot environment. The common error points are Match Group and ChrootDirectory. The chroot configuration we used is as follows:

Subsystem sftp internal-sftp
Match Group sftpusers
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /chroots/%u
ForceCommand internal-sftp

You must mention the appropriate group to match and ensure that all chrooted sftp users are members of this group otherwise they will not be able to login. The ChrootDirectory must have the correct location of the chroot home directory to point to.  Note there are other methods of specifying the ChrootDirectory apart from the one we’ve discussed here.

Conclusion

In this article, we explained some of the troubleshooting scenarios you are likely to run into while configuring chrooted sftp user accounts. In case you run into a different error please share the same with us so that we may update this article with the error description and the troubleshooting steps performed to resolve it.

Post Views: 6,993
The following two tabs change content below.

Sahil Suri

He started his career in IT in 2011 as a system administrator. He has since worked with HP-UX, Solaris and Linux operating systems along with exposure to high availability and virtualization solutions. He has a keen interest in shell, Python and Perl scripting and is learning the ropes on AWS cloud, DevOps tools, and methodologies. He enjoys sharing the knowledge he's gained over the years with the rest of the community.