Limit the SSH and SFTP to a certain folder
Clash Royale CLAN TAG#URR8PPP
Whilst creating a testuser, I was 99% sure that the user path would have been its home directory, and in theory nothing else could have been seen when connecting regardless.
I was wrong, so in the attempt to limit the SSH of a user to a certain folder and only that up I read some guidelines and SE answers (e.g. this one) to found most of them pointing to something like
Match User testuser
ChrootDirectory /home/testuser
ForceCommand internal-sftp
But when I attempted to SSH, an error message saying "broken pipe" is arise and I couldn't figure out to resolve.
Any idea where I can continue to read and/or setup?
Thanks
ssh home
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
add a comment |
Whilst creating a testuser, I was 99% sure that the user path would have been its home directory, and in theory nothing else could have been seen when connecting regardless.
I was wrong, so in the attempt to limit the SSH of a user to a certain folder and only that up I read some guidelines and SE answers (e.g. this one) to found most of them pointing to something like
Match User testuser
ChrootDirectory /home/testuser
ForceCommand internal-sftp
But when I attempted to SSH, an error message saying "broken pipe" is arise and I couldn't figure out to resolve.
Any idea where I can continue to read and/or setup?
Thanks
ssh home
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
1
"when I attempt to ssh", do you mean ssh command line? The example you linked is for sftp.chrootblocks the user from everything outside their home directory. It prevents them using any installed programs, even the command line (bash).
– Philip Couling
Feb 25 at 16:40
Any article or something I can read with a configuration example @PhilipCouling
– Andrea Moro
Feb 26 at 10:35
If you are convinced that chroot is the right option and not just setting file permissions the I would start by reading up on chroot here wiki.debian.org/chroot
– Philip Couling
Feb 26 at 10:40
Remember that chroot is the most secure option, but it's secure in the same sense a building with no windows or doors is secure. It can be excessive in some situations.
– Philip Couling
Feb 26 at 10:41
1
I'm not convinced about anything at this stage. I'm attempting to learn something, because this is ultimately not my area of expertise. So am playing with a dedicate VPS to see what I can learn out of it.
– Andrea Moro
Feb 26 at 11:01
add a comment |
Whilst creating a testuser, I was 99% sure that the user path would have been its home directory, and in theory nothing else could have been seen when connecting regardless.
I was wrong, so in the attempt to limit the SSH of a user to a certain folder and only that up I read some guidelines and SE answers (e.g. this one) to found most of them pointing to something like
Match User testuser
ChrootDirectory /home/testuser
ForceCommand internal-sftp
But when I attempted to SSH, an error message saying "broken pipe" is arise and I couldn't figure out to resolve.
Any idea where I can continue to read and/or setup?
Thanks
ssh home
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
Whilst creating a testuser, I was 99% sure that the user path would have been its home directory, and in theory nothing else could have been seen when connecting regardless.
I was wrong, so in the attempt to limit the SSH of a user to a certain folder and only that up I read some guidelines and SE answers (e.g. this one) to found most of them pointing to something like
Match User testuser
ChrootDirectory /home/testuser
ForceCommand internal-sftp
But when I attempted to SSH, an error message saying "broken pipe" is arise and I couldn't figure out to resolve.
Any idea where I can continue to read and/or setup?
Thanks
ssh home
ssh home
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
edited Feb 25 at 16:34
Andrea Moro
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
asked Feb 25 at 16:22
Andrea MoroAndrea Moro
114
114
1
"when I attempt to ssh", do you mean ssh command line? The example you linked is for sftp.chrootblocks the user from everything outside their home directory. It prevents them using any installed programs, even the command line (bash).
– Philip Couling
Feb 25 at 16:40
Any article or something I can read with a configuration example @PhilipCouling
– Andrea Moro
Feb 26 at 10:35
If you are convinced that chroot is the right option and not just setting file permissions the I would start by reading up on chroot here wiki.debian.org/chroot
– Philip Couling
Feb 26 at 10:40
Remember that chroot is the most secure option, but it's secure in the same sense a building with no windows or doors is secure. It can be excessive in some situations.
– Philip Couling
Feb 26 at 10:41
1
I'm not convinced about anything at this stage. I'm attempting to learn something, because this is ultimately not my area of expertise. So am playing with a dedicate VPS to see what I can learn out of it.
– Andrea Moro
Feb 26 at 11:01
add a comment |
1
"when I attempt to ssh", do you mean ssh command line? The example you linked is for sftp.chrootblocks the user from everything outside their home directory. It prevents them using any installed programs, even the command line (bash).
– Philip Couling
Feb 25 at 16:40
Any article or something I can read with a configuration example @PhilipCouling
– Andrea Moro
Feb 26 at 10:35
If you are convinced that chroot is the right option and not just setting file permissions the I would start by reading up on chroot here wiki.debian.org/chroot
– Philip Couling
Feb 26 at 10:40
Remember that chroot is the most secure option, but it's secure in the same sense a building with no windows or doors is secure. It can be excessive in some situations.
– Philip Couling
Feb 26 at 10:41
1
I'm not convinced about anything at this stage. I'm attempting to learn something, because this is ultimately not my area of expertise. So am playing with a dedicate VPS to see what I can learn out of it.
– Andrea Moro
Feb 26 at 11:01
1
1
"when I attempt to ssh", do you mean ssh command line? The example you linked is for sftp.
chroot blocks the user from everything outside their home directory. It prevents them using any installed programs, even the command line (bash).– Philip Couling
Feb 25 at 16:40
"when I attempt to ssh", do you mean ssh command line? The example you linked is for sftp.
chroot blocks the user from everything outside their home directory. It prevents them using any installed programs, even the command line (bash).– Philip Couling
Feb 25 at 16:40
Any article or something I can read with a configuration example @PhilipCouling
– Andrea Moro
Feb 26 at 10:35
Any article or something I can read with a configuration example @PhilipCouling
– Andrea Moro
Feb 26 at 10:35
If you are convinced that chroot is the right option and not just setting file permissions the I would start by reading up on chroot here wiki.debian.org/chroot
– Philip Couling
Feb 26 at 10:40
If you are convinced that chroot is the right option and not just setting file permissions the I would start by reading up on chroot here wiki.debian.org/chroot
– Philip Couling
Feb 26 at 10:40
Remember that chroot is the most secure option, but it's secure in the same sense a building with no windows or doors is secure. It can be excessive in some situations.
– Philip Couling
Feb 26 at 10:41
Remember that chroot is the most secure option, but it's secure in the same sense a building with no windows or doors is secure. It can be excessive in some situations.
– Philip Couling
Feb 26 at 10:41
1
1
I'm not convinced about anything at this stage. I'm attempting to learn something, because this is ultimately not my area of expertise. So am playing with a dedicate VPS to see what I can learn out of it.
– Andrea Moro
Feb 26 at 11:01
I'm not convinced about anything at this stage. I'm attempting to learn something, because this is ultimately not my area of expertise. So am playing with a dedicate VPS to see what I can learn out of it.
– Andrea Moro
Feb 26 at 11:01
add a comment |
1 Answer
1
active
oldest
votes
Your problem likely is because user's home directory is writable for user in question (testuser). SSH does not allow chrooting into (user) writable directory and terminates the connection. You should have a log message in your server's logs.
sshd_config man page says about ChrootDirectory:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. At session startup sshd(8) checks that all
components of the pathname are root-owned directories which are
not writable by any other user or group. ...
Your options depend on your requirements. You could change the home directory owner to root and remove other write permissions and have the (writable) sub-directories owned by the user. For example:
mkdir /home/testuser_tmp
mv /home/testuser /home/testuser_tmp/
mv /home/testuser_tmp /testuser_tmp
If the user also has shell access, you probably should update the home directory entry in /etc/passwd to point to the writable sub-directory.
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now
– Andrea Moro
Feb 26 at 8:47
ChrootDirectoryin the configuration tells ssh to change the root directory to/home/testuser. The directory is presumably writable for usertestuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect.
– sebasth
Feb 26 at 8:50
But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only?
– Andrea Moro
Feb 26 at 10:38
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502932%2flimit-the-ssh-and-sftp-to-a-certain-folder%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your problem likely is because user's home directory is writable for user in question (testuser). SSH does not allow chrooting into (user) writable directory and terminates the connection. You should have a log message in your server's logs.
sshd_config man page says about ChrootDirectory:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. At session startup sshd(8) checks that all
components of the pathname are root-owned directories which are
not writable by any other user or group. ...
Your options depend on your requirements. You could change the home directory owner to root and remove other write permissions and have the (writable) sub-directories owned by the user. For example:
mkdir /home/testuser_tmp
mv /home/testuser /home/testuser_tmp/
mv /home/testuser_tmp /testuser_tmp
If the user also has shell access, you probably should update the home directory entry in /etc/passwd to point to the writable sub-directory.
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now
– Andrea Moro
Feb 26 at 8:47
ChrootDirectoryin the configuration tells ssh to change the root directory to/home/testuser. The directory is presumably writable for usertestuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect.
– sebasth
Feb 26 at 8:50
But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only?
– Andrea Moro
Feb 26 at 10:38
add a comment |
Your problem likely is because user's home directory is writable for user in question (testuser). SSH does not allow chrooting into (user) writable directory and terminates the connection. You should have a log message in your server's logs.
sshd_config man page says about ChrootDirectory:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. At session startup sshd(8) checks that all
components of the pathname are root-owned directories which are
not writable by any other user or group. ...
Your options depend on your requirements. You could change the home directory owner to root and remove other write permissions and have the (writable) sub-directories owned by the user. For example:
mkdir /home/testuser_tmp
mv /home/testuser /home/testuser_tmp/
mv /home/testuser_tmp /testuser_tmp
If the user also has shell access, you probably should update the home directory entry in /etc/passwd to point to the writable sub-directory.
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now
– Andrea Moro
Feb 26 at 8:47
ChrootDirectoryin the configuration tells ssh to change the root directory to/home/testuser. The directory is presumably writable for usertestuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect.
– sebasth
Feb 26 at 8:50
But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only?
– Andrea Moro
Feb 26 at 10:38
add a comment |
Your problem likely is because user's home directory is writable for user in question (testuser). SSH does not allow chrooting into (user) writable directory and terminates the connection. You should have a log message in your server's logs.
sshd_config man page says about ChrootDirectory:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. At session startup sshd(8) checks that all
components of the pathname are root-owned directories which are
not writable by any other user or group. ...
Your options depend on your requirements. You could change the home directory owner to root and remove other write permissions and have the (writable) sub-directories owned by the user. For example:
mkdir /home/testuser_tmp
mv /home/testuser /home/testuser_tmp/
mv /home/testuser_tmp /testuser_tmp
If the user also has shell access, you probably should update the home directory entry in /etc/passwd to point to the writable sub-directory.
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
Your problem likely is because user's home directory is writable for user in question (testuser). SSH does not allow chrooting into (user) writable directory and terminates the connection. You should have a log message in your server's logs.
sshd_config man page says about ChrootDirectory:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. At session startup sshd(8) checks that all
components of the pathname are root-owned directories which are
not writable by any other user or group. ...
Your options depend on your requirements. You could change the home directory owner to root and remove other write permissions and have the (writable) sub-directories owned by the user. For example:
mkdir /home/testuser_tmp
mv /home/testuser /home/testuser_tmp/
mv /home/testuser_tmp /testuser_tmp
If the user also has shell access, you probably should update the home directory entry in /etc/passwd to point to the writable sub-directory.
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
edited Feb 26 at 9:00
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
answered Feb 25 at 17:11
sebasthsebasth
8,60132450
8,60132450
Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now
– Andrea Moro
Feb 26 at 8:47
ChrootDirectoryin the configuration tells ssh to change the root directory to/home/testuser. The directory is presumably writable for usertestuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect.
– sebasth
Feb 26 at 8:50
But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only?
– Andrea Moro
Feb 26 at 10:38
add a comment |
Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now
– Andrea Moro
Feb 26 at 8:47
ChrootDirectoryin the configuration tells ssh to change the root directory to/home/testuser. The directory is presumably writable for usertestuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect.
– sebasth
Feb 26 at 8:50
But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only?
– Andrea Moro
Feb 26 at 10:38
Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now
– Andrea Moro
Feb 26 at 8:47
Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now
– Andrea Moro
Feb 26 at 8:47
ChrootDirectory in the configuration tells ssh to change the root directory to /home/testuser. The directory is presumably writable for user testuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect.– sebasth
Feb 26 at 8:50
ChrootDirectory in the configuration tells ssh to change the root directory to /home/testuser. The directory is presumably writable for user testuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect.– sebasth
Feb 26 at 8:50
But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only?
– Andrea Moro
Feb 26 at 10:38
But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only?
– Andrea Moro
Feb 26 at 10:38
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502932%2flimit-the-ssh-and-sftp-to-a-certain-folder%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
"when I attempt to ssh", do you mean ssh command line? The example you linked is for sftp.
chrootblocks the user from everything outside their home directory. It prevents them using any installed programs, even the command line (bash).– Philip Couling
Feb 25 at 16:40
Any article or something I can read with a configuration example @PhilipCouling
– Andrea Moro
Feb 26 at 10:35
If you are convinced that chroot is the right option and not just setting file permissions the I would start by reading up on chroot here wiki.debian.org/chroot
– Philip Couling
Feb 26 at 10:40
Remember that chroot is the most secure option, but it's secure in the same sense a building with no windows or doors is secure. It can be excessive in some situations.
– Philip Couling
Feb 26 at 10:41
1
I'm not convinced about anything at this stage. I'm attempting to learn something, because this is ultimately not my area of expertise. So am playing with a dedicate VPS to see what I can learn out of it.
– Andrea Moro
Feb 26 at 11:01