Join Log in
Score:1
user1529597 avatar Server

SSH ChrootDirectory Fails on login error: /dev/pts/2: No such file or directory

bq flag
user1529597

I've created a user in Ubuntu and given them password auth access so they can login with ssh but i want to restrict their usage to a custom home folder located in:

/var/www/daniel (is a root folder with correct permissions)
/var/www/daniel/home (which is owned by daniel:daniel and 755 permissions)

In

/etc/ssh/sshd_config (i've enabled internal sftp)

Match User daniel
  PasswordAuthentication yes
  AllowTCPForwarding no
  ForceCommand internal-sftp
  ChrootDirectory %h
  X11Forwarding no

restarted ssh service

then when i try to log in, i can see in the

auth.log

successful user login but it then kills the session based on this error

Accepted password for daniel ssh2
pam_unix(sshd:session): session opened for user daniel by (uid=0)
systemd-logind[508]: New session 63 of user daniel.
pam_unix(systemd-user:session): session opened for user daniel by (uid=0)
error: /dev/pts/2: No such file or directory
pam_unix(sshd:session): session closed for user daniel
Session 63 logged out. Waiting for processes to exit.

Any ideas?

UPDATE

i've executed the below from https://unix.stackexchange.com/questions/160461/chroot-gone-wrong-cant-ssh-with-user:

mount --bind /dev /var/daniel/dev
mount --bind /dev/pts /var/daniel/dev/pts

the error appears to be gone but it logs me straight out after auth

Accepted password for daniel
pam_unix(sshd:session): session opened for user daniel by (uid=0)
systemd-logind[508]: New session 130 of user daniel.
systemd: pam_unix(systemd-user:session): session opened for user daniel by (uid=0)
pam_unix(sshd:session): session closed for user daniel
systemd-logind[508]: Session 130 logged out. Waiting for processes to exit.
2074
2 + 0
ssh
Score:0
Gerrit avatar Server
cn flag
Gerrit

Been using this for years on Ubuntu.

Subsystem sftp /usr/lib/openssh/sftp-server
Match Group sftp
    AllowTcpForwarding no
    ChrootDirectory %h
    ForceCommand internal-sftp
    PasswordAuthentication yes
    X11Forwarding no

The chroot directory must be root owned and not have write access for the user. Internal directories can be writable. This was done to avoid having home files that can change the library preloading. But you will get errors in auth.log if this is wrong.

Also you have to limit your client to sftp and not open a normal ssh session with terminal.

+ 0
Score:0
avatar Server
us flag
Lasse Michael Mølgaard

Check /etc/passwd.

Normally the users home directory is /home/USER and the variable %h maps to the file path /home/daniel in that case.

Also you need to provide a path to /bin/bash or similar shell inside the chroot if the user should be able to login via SSH.

+ 10
user1529597 avatar
bq flag
user1529597
cat etc/passwd for that user shows me daniel:x:1001:1002::/var/www/daniel:/bin/sh this seems ok?
0
Reply
user1529597 avatar
bq flag
user1529597
Running ls -la shows me: drwxr-xr-x 4 root root 4096 Nov 9 11:22 . drwxr-xr-x 6 root root 4096 Nov 8 20:21 .. -rw-r--r-- 1 daniel daniel 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 daniel daniel 3771 Jul 12 2019 .bashrc drwxr-xr-x 17 root root 3900 Nov 9 10:32 dev (mounted folder) drwxr-xr-x 3 daniel daniel 4096 Nov 8 21:52 home -rw-r--r-- 1 daniel daniel 807 Apr 18 2022 .profile shouldn't bash profile be there? not sure if i am doing this right
0
Reply
us flag
Lasse Michael Mølgaard
All filenames starting with "." like `.profile` are autogenerated. Bash profile isn't there, since you don't use bash shell for the user daniel as stated in your passwd file. You are using `ash` shell instead which has a slightly different syntax when it comes to shell scripting. But in a nutshell you need to copy `/bin` to a subfolder inside the chroot or else can't do stuff like `mv`,`cp`, `rm` inside the chroot because there are no visible path to those commands.
0
Reply
user1529597 avatar
bq flag
user1529597
Would you be able to tell me how to add the bash shell to that directory please? it says bin/sh when i cat the passwd file? i don't see ash? not sure if i am missing something?
0
Reply
us flag
Lasse Michael Mølgaard
Just replace `/bin/sh` with `/bin/bash` in passwd file. :-)
0
Reply
user1529597 avatar
bq flag
user1529597
thank you will try now :)
0
Reply
user1529597 avatar
bq flag
user1529597
would mount --bind /bin /var/daniel/bin be correct like i did with the /dev & /dev/pts or just copy folder over? i've change to daniel:x:1001:1002::/var/www/daniel:/bin/bash too.
0
Reply
us flag
Lasse Michael Mølgaard
Never tried it, but I expect as much.
0
Reply
user1529597 avatar
bq flag
user1529597
So i've mounted the /bin folder and can access that in the chroot user folder. but even before i did this and after i did it. see the logs: Accepted password for daniel ssh2 pam_unix(sshd:session): session opened for user daniel by (uid=0) New session 259 of user daniel. pam_unix(systemd-user:session): session opened for user daniel by (uid=0) sshd[11812]: pam_unix(sshd:session): session closed for user daniel Session 259 logged out. Waiting for processes to exit. it just logs me auto on putty directly after authentication
0
Reply
user1529597 avatar
bq flag
user1529597
if i turn on ChrootDirectory %h it logs in then logs out, if i disable, it logs in. should the chroot point to the root owned /var/www/daniel folder or the daniel owned folder of /var/www/daniel/home ? if i change the chroot to /var/www/daniel/home i get bad ownership or modes for chroot directory "/var/www/daniel/home"
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.