Trying to limit sftp user to one directory - fail on login with "Received message too long"

Omroth

11/22/22, 3:24 PM

I have added a user ftp_user with the /etc/passwd line:

ftp_user:x:1002:1003:ftp user,0,0,0,0:/home/ftp_user/files:/usr/sbin/nologin

In order to limit that user to only being able to r/w/list that one directory and not any others.

When I try to sftp in as that user I get:

Received message too long 1416128883

sftp worked fine when I had the shell be /bin/sh in the passwd file

UPDATE

I am using the sftp subsystem with this in sshd_config:

Match group sftp
ChrootDirectory /home/ftp_user/files
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match User ftp_user
PasswordAuthentication yes

Now, when I try to sftp in, I get:

debug3: send packet: type 61
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: send packet: type 61
debug3: receive packet: type 52
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to x.x.x.x ([x.x.x.x]:22).
debug2: fd 5 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
packet_write_wait: Connection to x.x.x.x port 22: Broken pipe
Connection closed

0 + 5

sftp

steeldriver

11/22/22, 3:34 PM

iirc sftp needs a valid login shell unless you force it to use the `internal-sftp` subsystem - see for example [Allow SFTP but disallow SSH?](https://serverfault.com/a/354618)

zwets

11/22/22, 3:34 PM

The home directory entry in `/etc/passwd` doesn't govern where the user can and cannot go on the file system. It is just their home directory. It doesn't matter whether you set it to `/home/ftp_user` or `/home/ftp_user/files`. The login issue is a separate problem.

Omroth

11/22/22, 3:40 PM

I am using the sftp subsytem now with: Match group sftp ChrootDirectory /home/ftp_user/files X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp And I have added ftp_user and verified it is there in /etc/groups. Now on logon I get: packet_write_wait: Connection to x.x.x.x port 22: Broken pipe Connection closed

zwets

11/22/22, 9:38 PM

Please add the relevant extra information to your question rather than in the comments. It will probably also be useful to add selected `sftp` debug output (`-vvv`).

Omroth

11/23/22, 8:45 AM

Done, thanks zwets

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Trying to limit sftp user to one directory - fail on login with "Received message too long"

TH: พยายามจำกัดผู้ใช้ sftp ไว้ที่หนึ่งไดเร็กทอรี - ล้มเหลวในการเข้าสู่ระบบด้วย "ข้อความที่ได้รับยาวเกินไป"

RO: Încercarea de a limita utilizatorul sftp la un singur director - eșuează la autentificare cu „Mesaj primit prea lung”

RU: Попытка ограничить пользователя sftp одним каталогом - ошибка при входе в систему с сообщением «Слишком длинное полученное сообщение»

VI: Cố gắng giới hạn người dùng sftp trong một thư mục - không đăng nhập được với "Tin nhắn đã nhận quá lâu"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.