On 05/01/15 07:07, Markus Rosjat wrote:
> hi there,
>
> I just do some testing with sftp access and I stumbled about some things
> I dont get.
>
> if I use the chroot I would asume the user cant browse to the root dir
> but it seems he can.
> Do I get the whole chroot thing wrong here ?
You get the idea, but you aren't implementing it right, and thus the
chroot isn't working.
> I set sshd up to just use key auth and gave the user a nologin because I
> just want him to use sftp. Ichecked it with a shell so I know the key
> gets accepted but with the nologin and sftp I cant log in.
> So it seems the statement "we dont need a shell for sftp" is not working.
are you using "internal-sftp"?
> I used a diffrent home dir for the sftp users and applied suggested
> permissions and ownership but it doesnt seems to work
>
> /var/sftp <- root:sftpuser 0100
> /var/sftp/testuser <- testuser:sftpuser 0750
and I presume "testuser" is your login name?
man sshd_config
search for "ChrootDirectory.
At session startup sshd(8) checks that all
components of the pathname are root-owned directories which are
not writable by any other user or group.
You aren't doing that.
Yes, that looks strange. Your SFTP user's home dir they will be
chrooted in has to be owned by ... ROOT! AND they can't have
permissions there! ("Who's home is this anyway??")
Now...inside that directory, you can create writable directories.
There is a reason for this (of course) -- you don't want your chroot
user creating a /etc and /dev et al. directories which could be
influencing other chroot'ed applications.
Nick.
