I was in need of providing SFTP access for an Ubuntu Hardy AMD64 setup. After some trial and error with the varied information returned by the search engines I was able to get this working. Once finished with the steps below you’ll be able to provide SFTP accounts to semi trusted users who need access to your server.
First we need to install RSSH:
sudo apt-get install rssh
Then we need to edit /etc/rssh.conf:
sudo vi /etc/rssh.conf
Uncomment the following lines and change CHROOTPATH value to /home/chroot:
allowsftp chrootpath = /home/chroot
Create a copy of mkchroot.sh to work with:
sudo cp /usr/share/doc/rssh/examples/mkchroot.sh ~/mkchroot.sh
Edit mkchroot.sh and update the following lines (based on output of command: rssh -v)
scp_path="/usr/bin/scp" sftp_server_"path=/usr/lib/openssh/sftp-server" rssh_path="/usr/bin/rssh" chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"
We also need to include AMD64 library files and make /dev/null available. Add the following directly after this line:
mkdir -p “$jail_dir/dev”
################################ cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/" cp /lib/ld-linux.so.2 "$jail_dir/lib/" cp -pR /lib64 "$jail_dir/" mknod -m 666 "$jail_dir/dev/null" c 1 3 ################################
Save our changes to mkchroot.sh and make it executable with:
sudo chmod u+x ~/mkchroot.sh
Now make rssh a valid shell by running the command:
sudo add-shell /usr/bin/rssh
The contents of /etc/passwd have been coppied to /home/chroot/etc/passwd and should be pruned to only users that will be under chroot control. We can also create a new chrooted user. First lets create /home/chroot/home for our chrooted users:
sudo mkdir /home/chroot/home
Then we create a new user:
sudo useradd -m -d /home/chroot/home/joe -s /usr/bin/rssh joe
Give them a password:
sudo passwd joe
Next we need to set up logging.
sudo vi /etc/default/syslogd
Update the SYSLOGD=”” line with our chrooted log information:
SYSLOGD="-a /home/chroot/dev/log"
The chrooting process /usr/lib/rssh/rssh_chroot_helper has to be setuid root in order to work:
sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper
Without the above command you will see errors such as this in your /var/log/syslog:
Nov 16 20:30:04 server1 rssh[10241]: setting log facility to LOG_USER
Nov 16 20:30:04 server1 rssh[10241]: allowing sftp to all users
Nov 16 20:30:04 server1 rssh[10241]: setting umask to 022
Nov 16 20:30:04 server1 rssh[10241]: chrooting all users to /home/chroot
Nov 16 20:30:04 server1 rssh[10241]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: new session for joe, UID=1002
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: chroot() failed, 2: Operation not permitted
And that’s that!
You should now be able to SFTP into your box with Joe’s chrooted account.
I followed your howto, but i keep stumbling onto one problem. The sftp user has access to all the files from /home/chroot on up… Including any additional users that you add later. How did you go about restricting the users to their /home/chroot/home directory without breaking their ability to log into the sftp?
Please let me know.
Thanks
Corey
Hey Corey!
The SFTP users will have access to everything in /home/chroot but they should not be able to leave the /home/chroot area. When trying to SSH in do you get disconnected with a notice that the account is limited to SFTP only? If so then that’s a good sign things are working. (along with not being able to leave /home/chroot)
Cheers,
~Dave
I just followed your tutorial for a Hardy server running on Amazon’s Elastic Compute Cloud, but I’m running in to trouble- my chrooted users can not log in: they get an error: “Fatal: unable to initialise SFTP on server: could not connect” while other users remain just fine. I’m having trouble finding the problem via Google, any ideas?
Hi Charlie,
You may possibly need a symbolic link to sftp-server.
sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/
Check the path with rssh -v as well.
Please let me know if that cures it. Thanks!
Dave
I followed your instruction but failed to get it to work. I suspect that the “~/mkchroot.sh” didn’t quite get made executable successfully. I don’t see the “$jail_dir” directory. I set the chrootpath to my desired rather than /home/chroot. Does the chrootpath have to be /home/chroot? How do I make sure that ~/mkchroot.sh gets made executable successfully?
Scott
Hey Scott! Sorry for the late reply on this. If you set chrootpath to another destination it may possibly not have had the permissions to create the path structure. You can perhaps create them manually after the fact and see if that allows everything else to fall into place. Please let me know how it goes. Thanks!
I followed the guilds and on the client I see:
$ sftp kostia@myhost
Connecting to myhost…
kostia@myhost’s password:
Connection closed
On the server I see:
May 7 03:04:10 myhost rssh[8608]: setting log facility to LOG_USER
May 7 03:04:10 myhost rssh[8608]: allowing sftp to all users
May 7 03:04:10 myhost rssh[8608]: setting umask to 022
May 7 03:04:10 myhost rssh[8608]: chrooting all users to /home/chroot
May 7 03:04:10 myhost rssh[8608]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”
No errors what so ever, but connection is just closed 🙁
Any ideas how to troubleshoot?
I have the same issue as heckeron, no connection possible, but no errors either. Not in syslog nor in auth.log.
Would be thankfully for any help !