OpenSUSE 11.4 sftp help

My goal is to set up an sFTP server where users can log in to only their home directory and can upload as well as download files.

I’ve followed some tutorials and can get almost the results I want, but not quite.

If I have users log in, it will go to their home directory. The user and upload files and download files. But, they can also go to other users directories or even the root directory.

If I use the ChrootDirctory command, then I have to set the user’s home directory to belong to root, and it only works if I set the group to read write. This will allow the user to get to their directory with it being the root directory, but the user can’t upload files. They can only download.

I’ve spent most of the day trying to figure this out, and of course I’m frustrated. Any insight on sorting this out? I am fairly green when it comes to Linux (you probably know that just by reading my problem.) I’m using OpenSUSE 11.4 with OpenSSH (whatever version came with it).

In my sshd_config file, I have the following at the end of the file:

Match group sftponly
ForceCommand internal-sftp
ChrootDirectory %h
AllowTCPForwarding yes
x11Forwarding no

The “root” in Chroot has a different meaning from a root account. (Root is a slightly overloaded term.) It means the top of the directory tree seen by the user is that directory. Therefore you do not make the directory owned by root, you just leave it owned by the user, as normal. However you have to put the user in the account group sftponly so that it will match the clause. BTW, there should be a Match on a line by itself at the end of the clause to close it off.

Makes sense on the permissions. Thanks for clarifying that.

I also made the change to put Match at the end of the sshd_config file.

When I log in using an FileZilla from a Windows XP machine, I still get the error “Software caused connection abort”. If I comment out the ChrootDirectory command, I can connect, but I can also travel through other directories as well.

In my sshd_config file above the match statement I do have the command

Subsystem sftp internal-sftp

Any other ideas? I have to be missing something…

Try it from the command line of itself using “sftp -v username@” to see what messages are sent back. That will give you some clues what the problem is. rather than localhost is to make sure you get IPv4.

I tried it from the command line on the Suse machine. After I entered the password, it says Authentication succeeded and then it says:

Write failed: Broken pipe
Couldn’t read packet: Connection reset by peer

You should also look at /var/log/messages to see if the ssh daemon logged any error messages.

The man page mentions additional restrictions on the filesystem containing /home:

In the special case when only sftp is used, not ssh nor scp, it
is possible to use ChrootDirectory %h or ChrootDirectory
/some/path/%u. The file system containing this directory must be
mounted with options nodev and either nosuid or noexec. The owner
of the directory should be the user. The ownership of the other
components of the path must fulfill the usual conditions. No addi-
tional files are required to be present in the directory.

In general,
When setting up this kind of thing you need to understand that you need to configure permissions correctly (in this case “write” permissions) at two levels… The File System and also at the Application (FTP app) level.

Also, I don’t see that you’ve described how you’re passing credentials and what credentials you’re using… Are all Users members of the same Network Domain or are you passing different (perhaps even local machine) credentials? Or, maybe something else?

You need to setup and address those issues (and there are several acceptable ways to do so) before you can take it to the next step and actually deploy.
You may even need to specify the FTP app you’re using and the exact steps taken, although I haven’t investigated all FTP possibilities just the basic possibilities of SSL and TLS can involve many permutations of possibilities of itself authenticating if not just encrypting.