Join Log in
Score:0
Crayons avatar Ubuntu

SFTP Chroot Error: Broken Pipe

at flag
Crayons

Update: The code below has been updated to reflect the changes identified in the marked answer, and is therefore working as expected.

I am trying to establish SFTP-only users on my server, that are jailed to their home directory. When attempting to connect to the server, I receive a broken pipe error:

debug1: Authentication succeeded (password).
Authenticated to xxxx.xxxxxxxx.com ([XX.XX.XX.XX]:22).
debug2: fd 5 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
packet_write_wait: Connection to XX.XX.XX.XX port 22: Broken pipe
Couldn't read packet: Connection reset by peer

I have determined that this is related to my attempts to jail the user. My sshd_config includes:

Subsystem sftp internal-sftp
Match Group sftponly
        ForceCommand internal-sftp -d /%u
        PasswordAuthentication yes
        ChrootDirectory /home/sftp
        PermitTunnel no
        AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no

sftponly is the name of the group I created for sftp users. The owner and group of /home/sftp is root with only write-permission for the owner (0711).

$  chown root:root /home/sftp
$  chmod 0711 /home/sftp

Here is how I'm creating users (in this example, batman) -- note that I'm doing this via a Perl script, hence my use of chpasswd:

$  adduser --quiet --disabled-password --shell /bin/false --no-create-home --gecos "User" batman
$  echo "batman:batman123" | chpasswd
$  usermod -a -G sftponly batman
$  install -d -m 0755 /home/sftp/batman -o batman -g sftponly

Note: I'm manually creating the users home directory rather than passing the --system arg for adduser, as I end up getting an error when I later try and change the directory ownership:

chown: invalid group: ‘batman:batman’

If I update my sshd_config, and change the chroot directory to:

ChrootDirectory /home/sftp

I can successfully access the server and no longer receive the broken pipe error. However, I land in /home/sftp upon login, where I see a list of all other user directories, rather than landing in /home/sftp/batman as I would expect to happen.

How can I improve/fix this, such that users:

  • only have access to their own directory (/home/sftp/batman)
  • upon login, will appear to be within / (which is actually /home/sftp/batman)
  • cannot navigate to /home/sftp (so that they cannot see a list of other users)
57
0 + 0
ssh
Score:0
Crayons avatar Ubuntu
at flag
Crayons

I have managed to accomplish this by applying these permissions:

$  chown batman:sftponly /home/sftp/batman
$  chmod 0755 /home/sftp/batman
$  chmod 0711 /home/sftp

Then changing the ChrootDirectory from /home/sftp/%u to /home/sftp,

And lastly moving the user into their home directory upon login:

ForceCommand internal-sftp -d /%u

Now, when batman logs in, they land in /home/sftp/batman, which appears as /batman to the user. More importantly, if they attempt to back out into /home/sftp, they receive an error (thereby preventing them from see other user directories):

Directory /: permission denied - Failed to retrieve directory listing

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.