sftp - give password access to one user only & chroot

Etshy

5/22/23, 1:16 PM

First I kniow this kind of question has been asked a lot, and I tried a lot of solution here and on SuperUser but none worked and I can't find why.

I want to configure my ssh to only accept key login except for one user that could login with sftp only (no ssh cli access, if possible, I'm not sure)

Here is my config

AllowUsers user1 user2
LoginGraceTime 0
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
UsePrivilegeSeparation sandbox
ClientAliveInterval 120
Subsystem sftp internal-sftp
Match Group sftpusers
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
Match user user2
        PasswordAuthentication yes
        ChrootDirectory /home/%u

When I try to login with FileZilla with SFTP I have this log

Status: Connecting to *my_server_ip*:*my_ssh_port*...
Response:   fzSftp started, protocol_version=11
Command:    open "user2@*my_server_ip*" *my_ssh_port*
Status: Using username "user2". 
Command:    Pass: ************
Error:  Could not connect to server

When I try to connect with ssh

ssh user2@*my_server_ip* -p *my_ssh_port*
user2@*my_server_ip*'s password:
client_loop: send disconnect: Connection reset

I can connect with user1 just fine using pubkey but I can't make user2 able to login with password

0 + 0

debian

ssh

sftp

Paul

5/22/23, 1:33 PM

Does this section of the man page answer your question: [ChrootDirectory](https://manpages.debian.org/bullseye/openssh-server/sshd_config.5.en.html#ChrootDirectory).

Etshy

5/23/23, 9:49 PM

Ok I managed to connect bu now I can't upload in `home/user2` because I had to `chown root:root` the dir. Is that mandatory, or is there a trick (like the `allow_writeable_chroot` in vsftpd) ?

Paul

5/23/23, 10:26 PM

Can you use subdirectories?

Etshy

5/23/23, 10:28 PM

I could but it wasn't my goal. I found a solution that fit my problem, maybe not the best solution though. I posted it and will accept it as solution when i can.

Score:0

Server

Etshy

5/23/23, 10:14 PM

For those with same problem as me, here is how I managed to chroot the sftp user in their home directory

Here is my sshd_config

Subsystem sftp internal-sftp
Match Group sftpusers
        X11Forwarding no
        AllowTcpForwarding no
        ChrootDirectory /home
        ForceCommand internal-sftp -d /%u
Match user user2
        PasswordAuthentication yes

You need to chroor /home, and set just enough permission for the connection chmod 711 /home your /home/user2 dir can have normal permission for user2 to be able to create/upload files.

With this config, the user will be moved automatically in their dir, the chroot will be in /home dir but the user won't have the permission to .. and he will be jailed in his own home dir.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: sftp - give password access to one user only & chroot

TH: sftp - ให้รหัสผ่านแก่ผู้ใช้รายเดียวเท่านั้น & chroot

RO: sftp - oferă acces prin parolă unui singur utilizator și chroot

RU: sftp - предоставить доступ к паролю только одному пользователю и chroot

VI: sftp - chỉ cấp quyền truy cập mật khẩu cho một người dùng & chroot

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.