OpenSSH SFTP chroot() with ChrootDirectory

Posted by niol on Tue 1 Apr 2008 at 10:49

Tags: , ,

The upcoming version of OpenSSH (4.8p1 for the GNU/Linux port) features a new configuration option : ChrootDirectory. This has been made possible by a new SFTP subsystem statically linked to sshd.

This makes it easy to replace a basic FTP service without the hassle of configuring encryption and/or bothering with FTP passive and active modes when operating through a NAT router. This is also simpler than packages such as rssh, scponly or other patches because it does not require setting up and maintaining (i.e. security updates) a chroot environment.

To enable it, you obviously need the new version 4.8p1. I personaly use the cvs version and the debian/ directory of the sid package to build a well integrated Debian package 4.8p1~cvs-1.

In /etc/ssh/sshd_config :

You need to configure OpenSSH to use its internal SFTP subsystem.

Subsystem sftp internal-sftp

Then, I configured chroot()ing in a match rule.

Match group sftponly
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

The directory in which to chroot() must be owned by root. After the call to chroot(), sshd changes directory to the home directory relative to the new root directory. That is why I use / as home directory.

# chown root.root /home/user
# usermod -d / user
# adduser user sftponly

This seems to work as expected :

$ sftp user@host
Connecting to host...
user@host's password:
sftp> ls
build               cowbuildinall       incoming            johnbuilderclean
sftp> pwd
Remote working directory: /
sftp> cd ..
sftp> ls
build               cowbuildinall       incoming            johnbuilderclean

The only thing I miss is file transfers logging, but I did not investigate this at all. More on this whenever I find some time to do so.

References :

 

 


Posted by Anonymous (97.89.xx.xx) on Tue 1 Apr 2008 at 14:49
This sounds awesome and thank you for posting it.

But I've learned not to trust anything posted on this day...

[ Parent | Reply to this comment ]

Posted by Anonymous (38.104.xx.xx) on Tue 1 Apr 2008 at 14:53
From the FAQ:
Note that OpenSSH 4.8 was an OpenBSD-only release shipped with the
OpenBSD 4.3 CD.

[ Parent | Reply to this comment ]

Posted by Anonymous (200.160.xx.xx) on Tue 1 Apr 2008 at 16:40
Nice work!
OpenSSH 4.9 is OUT!

[ Parent | Reply to this comment ]

Posted by Anonymous (217.154.xx.xx) on Wed 2 Apr 2008 at 21:25
I considered using this (as I put together the alternative approach at http://www.minstrel.org.uk/papers/sftp/), but from reading 'man sshd_config', it appeared to me that 'ChrootDirectory' was *not* a valid parameter in a Match block.

Have I misread the manual? It struck me that ChrootDirectory subsequently applied to all users (including myself), which wouldn't work for me at all...

I can be contacted through the Web site above.

--
Minstrel

[ Parent | Reply to this comment ]

Posted by Anonymous (91.45.xx.xx) on Sun 6 Apr 2008 at 14:06
ChrootDirectory is a valid directive in a Match block. The man page sshd_config(5) however, doesn't list it correctly. But since we can use the force^Wsource ;), it is not a big problem to verify this. see servconf.c (of OpenSSH 5.0) line 275-372:
#define SSHCFG_GLOBAL   0x01    /* allowed in main section of sshd_config */
#define SSHCFG_MATCH    0x02    /* allowed inside a Match section */
#define SSHCFG_ALL      (SSHCFG_GLOBAL|SSHCFG_MATCH)

/* Textual representation of the tokens. */
static struct {
        const char *name;
        ServerOpCodes opcode;
        u_int flags;
} keywords[] = {

        // [...]
        { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
        // [...]
};
HTH

[ Parent | Reply to this comment ]

Posted by Anonymous (203.163.xx.xx) on Thu 3 Apr 2008 at 01:18
Does the chroot apply for SSH shell access, or only sftp?

[ Parent | Reply to this comment ]

Posted by Anonymous (91.45.xx.xx) on Sun 6 Apr 2008 at 14:09
It applies to all shell access via SSH. But if you do not use internal-sftp, you'll still need to have all libraries and binaries the user shall be able to use inside his/her home directory.

[ Parent | Reply to this comment ]

Posted by Anonymous (213.211.xx.xx) on Tue 8 Apr 2008 at 07:28
You can use Jailkit from http://olivier.sessink.nl/jailkit/ to manage all the libraries and binaries.

With Jailkit you can also do a similar setup as above with cvs, rsync and scp.

[ Parent | Reply to this comment ]

Posted by Anonymous (82.229.xx.xx) on Thu 3 Apr 2008 at 15:24
Any ssh backport for etch planned ?

[ Parent | Reply to this comment ]

Posted by Anonymous (80.69.xx.xx) on Fri 4 Apr 2008 at 08:43
I did one on my own as mentioned above - no problem with it so far.

[ Parent | Reply to this comment ]

Posted by Anonymous (82.101.xx.xx) on Fri 4 Apr 2008 at 14:14
Have you put it on a repository?
and have you seen OpenSSH 5.0/5.0p1 released Apr 3, 2008?

[ Parent | Reply to this comment ]

Posted by sytoka (80.170.xx.xx) on Sun 6 Apr 2008 at 07:45
[ Send Message ]

Just change

# chown root.root /home/user

by

# chown root:root /home/user

It's now possible to have a dot in a username !

[ Parent | Reply to this comment ]

Posted by Anonymous (70.145.xx.xx) on Wed 9 Apr 2008 at 20:33
Great!

Can't wait to try it.

Brian Pence
Celestial Software
http://www.celestialsoftware.net
AbsoluteTelnet (for telnet and ssh)

[ Parent | Reply to this comment ]

Posted by Anonymous (217.18.xx.xx) on Tue 15 Apr 2008 at 09:50
I can't locate internal-sftp command. When i try locate or find he not locate anywhere internal-sftp. How i can download this?

[ Parent | Reply to this comment ]

Posted by Anonymous (74.233.xx.xx) on Sat 17 May 2008 at 19:10
internal-sftp is not an external system command. It's an internal to OpenSSH specification that is used only in the sshd configuration file.

[ Parent | Reply to this comment ]

Posted by Anonymous (88.17.xx.xx) on Fri 24 Oct 2008 at 12:02
Use locate command

[ Parent | Reply to this comment ]

Posted by Anonymous (81.139.xx.xx) on Wed 5 Nov 2008 at 10:40
Nice post!

I don't like the sound of setting a users home directory set to "/" though. I can't think of any repercussions, but since their home directory is technically set incorrectly, I wouldn't like to say there would be none. Can anyone else think of any problems this might cause?

[ Parent | Reply to this comment ]

Posted by kink (85.147.xx.xx) on Fri 9 Jan 2009 at 16:45
[ Send Message ]
It is not necessary to set / as the home directory: if the user's homedir does not exist under the chroot-ed path, it will just be ignored and the user will be put into the root of the chroot.

[ Parent | Reply to this comment ]

Posted by Anonymous (89.212.xx.xx) on Tue 13 Jan 2009 at 21:55
So if the user creates ~/home/<username>, he's fu*ked then? ;)

[ Parent | Reply to this comment ]

Posted by Anonymous (85.27.xx.xx) on Tue 13 Jan 2009 at 19:03
Hi

It seems to be working but I still have a question ...

It says in the manpage of sshd_config that the path given to ChrootDirectory and all of its components must be root owned directories that are not writable by any other user or group.

So when the user logs in, he doesn't have write permissions right ?
Therefore he can't upload anything ...

[ Parent | Reply to this comment ]

Posted by niol (143.196.xx.xx) on Tue 13 Jan 2009 at 19:06
[ Send Message | View Weblogs ]
Create one or more subdirectories with appropriate permissions and you will be good to go.

[ Parent | Reply to this comment ]

Posted by andrewm659 (97.91.xx.xx) on Mon 16 Mar 2009 at 01:04
[ Send Message ]
I'm currently using the latest Debian Stable - Lenny, I have OpenSSH 5.X, I want to setup chroot environments, for most of the users on that system. I'm a little confused as how to set that up, do I need to add a group, I'm guessing that would be the proper way to do it. I'm looking for a updated tutorial on this as well.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.158.xx.xx) on Fri 24 Apr 2009 at 12:16
Following these instructions I have a working chrooted sftp user.
They can't upload files. How do I fix this please?
Also is it possible to modify adduser.conf to create the home directory with the appropriate ownership/properties for this? (I have modified it to set the GID as sftponly too)

[ Parent | Reply to this comment ]

Posted by stew (24.193.xx.xx) on Thu 28 May 2009 at 04:03
[ Send Message ]
"ChrootDirectory /home/%u" should probably be replaced with "ChrootDirectory %h" which works for home directories not in /home

[ Parent | Reply to this comment ]

Posted by Anonymous (187.66.xx.xx) on Thu 18 Aug 2011 at 22:16
For the ChrootDirectory I used the following:
/home/%u/Public
It is not the home directory so no hidden files there, plus it is semantically better.

[ Parent | Reply to this comment ]

Posted by Anonymous (189.88.xx.xx) on Fri 19 Jun 2009 at 04:08
I can't get this working on Ubuntu 8.10 inside 64 VMWare.

Here is what happens:


user@server:/var$ sftp 192.45.2.137
Connecting to 192.45.2.137...
user@192.45.2.137's password:
Couldn't read packet: Connection reset by peer



/var/log/auth.log:

Jun 18 20:45:57 server sshd[23658]: debug1: Bind to port 22 on ::.
Jun 18 20:45:57 server sshd[23658]: Server listening on :: port 22.
Jun 18 20:45:57 server sshd[23658]: debug1: Bind to port 22 on 0.0.0.0.
Jun 18 20:45:57 server sshd[23658]: Server listening on 0.0.0.0 port 22.
Jun 18 20:46:03 server sshd[23658]: debug1: Forked child 23664.
Jun 18 20:46:03 server sshd[23664]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jun 18 20:46:03 server sshd[23664]: debug1: inetd sockets after dupping: 3, 3
Jun 18 20:46:03 server sshd[23664]: Connection from 192.45.2.137 port 42626
Jun 18 20:46:03 server sshd[23664]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-3ubuntu1
Jun 18 20:46:03 server sshd[23664]: debug1: match: OpenSSH_5.1p1 Debian-3ubuntu1 pat OpenSSH*
Jun 18 20:46:03 server sshd[23664]: debug1: Enabling compatibility mode for protocol 2.0
Jun 18 20:46:03 server sshd[23664]: debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
Jun 18 20:46:05 server sshd[23664]: debug1: user user matched group list sftp at line 80
Jun 18 20:46:05 server sshd[23664]: debug1: PAM: initializing for "user"
Jun 18 20:46:05 server sshd[23664]: debug1: PAM: setting PAM_RHOST to "192.45.2.137"
Jun 18 20:46:05 server sshd[23664]: debug1: PAM: setting PAM_TTY to "ssh"
Jun 18 20:46:05 server sshd[23664]: Failed none for user from 192.45.2.137 port 42626 ssh2
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: password authentication accepted for user
Jun 18 20:46:06 server sshd[23664]: debug1: do_pam_account: called
Jun 18 20:46:06 server sshd[23664]: Accepted password for user from 192.45.2.137 port 42626 ssh2
Jun 18 20:46:06 server sshd[23664]: debug1: monitor_child_preauth: user has been authenticated by privileged process
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: establishing credentials
Jun 18 20:46:06 server sshd[23664]: pam_unix(sshd:session): session opened for user user by (uid=0)
Jun 18 20:46:06 server sshd[23671]: debug1: SELinux support disabled
Jun 18 20:46:06 server sshd[23671]: debug1: PAM: establishing credentials
Jun 18 20:46:06 server sshd[23664]: User child is on pid 23671
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: cleanup
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: deleting credentials
Jun 18 20:46:06 server sshd[23664]: debug1: PAM: closing session
Jun 18 20:46:06 server sshd[23664]: pam_unix(sshd:session): session closed for user user



/etc/passwd:

user:x:1003:1003:User,,,:/:/usr/sbin/nologin



/etc/group:

sftp:x:1004:user



/etc/ssh/sshd_config:

# Logging
SyslogFacility AUTH
LogLevel DEBUG
Subsystem sftp internal-sftp
Match group sftp
ForceCommand internal-sftp
ChrootDirectory /var/sshbox



user@server:/var$ ls -l
drwxr-x--- 2 root root 4096 2009-06-18 20:05 sshbox

What I am doing wrong?

[ Parent | Reply to this comment ]

Posted by Anonymous (80.153.xx.xx) on Fri 21 Oct 2011 at 08:30
Add a closing 'Match' clause at the end of the matching:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match
^^^^^
Add this here.

[ Parent | Reply to this comment ]

Posted by Anonymous (91.120.xx.xx) on Wed 15 Jul 2009 at 18:48
why need root owned directory?

[ Parent | Reply to this comment ]

Posted by Anonymous (213.201.xx.xx) on Tue 11 Aug 2009 at 12:16
So, if i change my FTP to a SFTP server... where can I track the user's actions??

[ Parent | Reply to this comment ]

Posted by Anonymous (63.116.xx.xx) on Thu 8 Nov 2012 at 15:18
You can get normal SFTP logging by having your log daemon create a /dev/log file in the chrooted tree. Reference data is at wikibooks.org, OpenSSH, Logging, Logging_Chrooted_SFTP. Newer Unices with rsyslog can be updated by dropping a file in /etc/rsyslog.d instead of the "-u -a" syntax used in the wikibooks article.

[ Parent | Reply to this comment ]

Posted by Anonymous (78.33.xx.xx) on Tue 11 Aug 2009 at 13:59
Forgive me for maybe being silly...

If you chown the users directory to root.root how can the user have write access to their home directory?

[ Parent | Reply to this comment ]

Posted by Anonymous (70.247.xx.xx) on Fri 21 Aug 2009 at 00:06
They don't. You have to create a sub folder in the user's home directory that they have write access to.

I'm not sure on the reason for this, but I guess it's so they can't somehow change their .profile to allow themselves access to other directories. (maybe?)

[ Parent | Reply to this comment ]

Posted by Anonymous (203.81.xx.xx) on Tue 15 Sep 2009 at 07:36
well.....chroot is working for sftp...but when i try to login to the....it just fails me....i have used the match block for sftp users as

# override default of no subsystems
Subsystem sftp internal-sftp

Match Group sftpusers
ChrootDirectory /chroot
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp


where /chroot is my custom directory owned by root.root and it is working fine for sftp users

and for non sftp users(i.e "ForceCommand not used")

Match Group nonsftp
ChrootDirectory /chroot
AllowTCPForwarding no
X11Forwarding no


when i look at /var/log/messages....it says

sshserver sshd [2499] : Accepted password for test from 10.0.0.54 port 2683 ssh2

which says that authentication is ok....and when i ommit "ChrootDirectory" parameter.....than everything is ok...any suggestions??

[ Parent | Reply to this comment ]

Posted by Anonymous (203.81.xx.xx) on Tue 15 Sep 2009 at 07:38
in the first line sentence is "when i try to login to the shell"

[ Parent | Reply to this comment ]

Posted by eriberto (200.252.xx.xx) on Tue 15 Sep 2009 at 13:15
[ Send Message ]
Hi! I need to prevent a file deletion by jail user. The file is .htaccess. How to make it?

[ Parent | Reply to this comment ]

Posted by Anonymous (94.75.xx.xx) on Thu 24 Sep 2009 at 18:45
If you use ext3 fs, you may try set this file as immutible:
sudo chattr +i .htaccess

[ Parent | Reply to this comment ]

Posted by Anonymous (81.167.xx.xx) on Thu 17 Sep 2009 at 08:44
I cant get this to work. Used 2 days on this now.
sftp/ssh works. But chrooting dont.

If I remove the user from the sftpolny group it works. So Im guessing it has something with group/sftp to do, but I cant figure it out.

Anyone got any pointers to this?

[ Parent | Reply to this comment ]

Posted by Anonymous (77.168.xx.xx) on Wed 30 Sep 2009 at 20:04
if you can't get it to work, check the version of your sshd on your server:
sshd -v

and keep reading the logs:
tail -f /var/log/auth.log &

[ Parent | Reply to this comment ]

Posted by Anonymous (81.167.xx.xx) on Sat 24 Oct 2009 at 12:37
Thanks! :)

"read/write" for "group" and "other" on /home/ftpuser
Removed it to only "read". Works.

But no access. Shell is missing.

[ Parent | Reply to this comment ]

Posted by eriberto (200.252.xx.xx) on Thu 7 Jan 2010 at 18:44
[ Send Message ]
I use "PasswordAuthentication no" in sshd_config to force autentication by public key. However, I need to make users login in jail using password. I solved my problem putting "PasswordAuthentication yes" in my match block. See below:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
PasswordAuthentication yes

Hope this help.

[ Parent | Reply to this comment ]

Posted by kEND (64.128.xx.xx) on Fri 12 Feb 2010 at 23:33
[ Send Message ]
Is there a way to configure the above and allow scp access for these chrooted sftp users?

[ Parent | Reply to this comment ]

Posted by Anonymous (59.163.xx.xx) on Sun 6 Jun 2010 at 07:45
How to hide .ssh folder or disable ls -a option in chroot sftp login

[ Parent | Reply to this comment ]

Posted by Anonymous (78.90.xx.xx) on Sat 14 Aug 2010 at 21:04
GREAT

# usermod -d / user

And when i testing add some user, And when i delete him which

userdel -rf user

.......................

[ Parent | Reply to this comment ]

Posted by Anonymous (62.242.xx.xx) on Tue 24 Aug 2010 at 12:42
Hi.
I have tried this on Ubuntu 10.04 server.
But when it is configured, I get an "network error - connection refused", when I try to connect using ssh or sftp, and this is for all users, chroot'ed or not??
Has anyone tried this on Ubuntu 10.04 ?

[ Parent | Reply to this comment ]

Posted by Anonymous (87.111.xx.xx) on Sun 3 Oct 2010 at 10:15
Note that the owner of the destination directory must be "root", and group/other users cannot have write permissions. The same with all the directory path:

chown root /path/to/destination
chown root /path/to
chown root /path

chmod g-w,o-w /path/to/destination
chmod g-w,o-w /path/to
chmod g-w,o-w /path


Alternatively, you can use a symbolic link to replace the real path:

chown root /path/to/destination
ln -s /path/to/destination /destination
chown root /destination

chmod g-w,o-w /path/to/destination
chmod g-w,o-w /destination

[ Parent | Reply to this comment ]

Posted by Anonymous (178.0.xx.xx) on Tue 5 Oct 2010 at 11:16
Hi,
to get public-key authentication up and running for sftpusers use the users sftphome in /etc/passwd (e.g. /var/www/sftpuser_1) and let sshd chroot to %h! Password authentication will still work.
Cheers,
Olaf

[ Parent | Reply to this comment ]

Posted by narcisgarcia (87.111.xx.xx) on Sun 10 Oct 2010 at 14:03
[ Send Message ]
A new guide to configure better the client and the server:
http://wiki.lapipaplena.org/index.php/How_to_mount_SFTP_accesses

(with special care with owners and permissions questions)

[ Parent | Reply to this comment ]

Posted by shlstrm (92.225.xx.xx) on Sat 12 Feb 2011 at 16:46
[ Send Message ]
Couldn't this just be done with
sudo usermod -s /bin/false someuser
?

Regards, Håkan

[ Parent | Reply to this comment ]

Posted by shlstrm (92.225.xx.xx) on Sat 12 Feb 2011 at 16:49
[ Send Message ]
Ouch, sorry, that was meant to be a comment to this article: http://www.debian-administration.org/articles/94. However, I would still recommend including that step so that the user isn't able to log in and get shell access (for a bit more security).
/Håkan

[ Parent | Reply to this comment ]

Posted by Anonymous (93.199.xx.xx) on Wed 22 Jun 2011 at 15:40
First of all: Thanks for the article.
However, I think there is a error in the Match syntax. I tried it, and it didn't work; until I found out, that it is crucial to close the open Match clause. So using the example from the article the right entry in sshd.conf should be:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match

Otherwise SFTP-server won't allow any connections!
Hope this helps!

[ Parent | Reply to this comment ]

Posted by Anonymous (132.64.xx.xx) on Mon 18 Jul 2011 at 13:46
I think your comment is what saved my non-working setup. Thanks!

[ Parent | Reply to this comment ]

Posted by Anonymous (174.30.xx.xx) on Fri 29 Jul 2011 at 21:10
Even using this, I can't get sftp to work when ChrootDirectory is specified. With or without the closing "Match" clause, if "Chrootdirectory" is not in Match, then sftp works just fine. However, if I put it in, in any location, with any value, sftp automatically disconnects after authentication success, whether I close Match or not. Can you help?

[ Parent | Reply to this comment ]

Posted by Anonymous (148.87.xx.xx) on Sat 30 Jul 2011 at 05:26
Apart from Jail, we also want the user only to upload. and should NOT be able to download the file back. The reason is, the file he uploads is a source code. and we dont want him to login from another system and downloads it. Is there a way we can do that in SFTP ?

[ Parent | Reply to this comment ]

Posted by Anonymous (84.81.xx.xx) on Mon 17 Oct 2011 at 14:04
Oh my! Thx a lot, this comment saved me after quite some headache... So simple, yet I couldn't figure it out until reading your remark.
Debian rules!

[ Parent | Reply to this comment ]

Posted by Anonymous (78.23.xx.xx) on Thu 11 Aug 2011 at 19:46
I'm not sure if I got this right:

for ChrootDirectory %h to work, the home directory of the user MUST be owned by root
for .ssh/authorized_keys to work the home directory of the user MUST be owned by the user

So how do I "jail" a user in his own directory? (using sftp only)

[ Parent | Reply to this comment ]

Posted by niol (88.174.xx.xx) on Fri 12 Aug 2011 at 07:02
[ Send Message | View Weblogs ]
It's ~/.ssh that must be owned by the user for ~/.ssh/authorized_keys to work, not ~.

[ Parent | Reply to this comment ]

Posted by Anonymous (213.70.xx.xx) on Thu 27 Oct 2011 at 10:27
I would like my users to have the same home directory than their chroot directory (e.g. chroot user1 to /home/user1 and home directory is /home/user1, too).

Are there any security considerations against doing the following?

chown root:root /home/user1
chmod 750 /home/user1
setfacl -m user:user1:rwx /home/user1
setfacl -m mask::rwx /home/user1


This would fulfil the requirements to successfully chroot() and let users have appropriate permissions to their home directories.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.186.xx.xx) on Wed 12 Sep 2012 at 21:51
Did this really work? I git the problem that setfacl -m u:user1:rwx /home/user1 resets the unix permissions on 0770 and setting those back to 0750 forces ACLs to r-x for user1 by telling be getfacl user1:rwx #effective r-x

[ Parent | Reply to this comment ]

Posted by Anonymous (199.198.xx.xx) on Fri 16 Dec 2011 at 16:06
using the suggested addition to sshd_config makes sshd die.
I noticed there is already a subsystem sftp defined, so maybe that is the problem, but what is the solution? I have:

Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem sftp internal-sftp
Match group guests
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match

thanks everybody

[ Parent | Reply to this comment ]

Posted by Andimotz80 (193.41.xx.xx) on Thu 22 Dec 2011 at 12:05
[ Send Message ]
I have configured like this, but I want to copy directly in the home directory. Is this possible?
BR

Andreas

[ Parent | Reply to this comment ]

Posted by eddzzz (80.113.xx.xx) on Thu 9 Feb 2012 at 10:37
[ Send Message ]
I only partly have a problem connecting. When I use Filezilla it works perfect. But when I use sftp on Ubuntu it fails with the error:

Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer

What is going wrong and how can I fix this?

[ Parent | Reply to this comment ]

Posted by Anonymous (1.187.xx.xx) on Sat 25 Aug 2012 at 10:24
this is really helping ..............

[ Parent | Reply to this comment ]

Posted by Anonymous (87.113.xx.xx) on Wed 26 Mar 2014 at 15:25

After the call to chroot(), sshd changes directory to the home directory relative to the new root directory. That is why I use / as home directory.

If you don't change the home directory to / it seems to work anyway (ie leave as default /home/user).

It also allows public key authentication to work (~/.ssh/authorized_keys)

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1017 votes ~ 6 comments )