Score:0

ubuntu 20.04 - ChrootDirectory in sshd_config wont work with tokens %h or %u

in flag

I am trying to lock users into their home directory using a dedicated group in the sshd_config. The section of my group looks as follows

Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Using %h or even /home/%u wont work when I try to connect with any user. I checked all permissions on their home directories and everything looks ok.

Interestingly, when I provide ChrootDirectory with a static path, everything works fine.

E.g the following config lets users connect (but in the wrong directory)

Match Group sftponly
ChrootDirectory /home/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

man sshd_config says that I am using the %h token correctly:

ChrootDirectory accepts the tokens %%, %h, %U, and %u.

Appreciate any hint since I spent hour on it already

Score:0
ph flag
Flo

As answered here here leading to here the ChrootDirectory has to be owned by root and can't be any group-write access.

As the home dirs of the specific user is by default owned by that user, your config is not working.

So either chown the home directory to root and create a folder in it where the user has the right to read/write or use a different ChrootDirectory.

in flag
thank you! I didnt stumble across those two pages while searching for a solution. It works fine now
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.