sindreruud
Dabbler
- Joined
- Sep 21, 2017
- Messages
- 24
Hi!
Version:
FreeNAS 11.2 U6
I have tried my best to search the documentation, this forum and google in general. But I couldn't quite find out how to actually configure this on FreeNAS. I have followed the documentation on FreeNAS, aswell as the FreeBSD man-pages for sshd
I have three users and there will probably be more. Currently they are 'john', 'jane' and 'alex'
What I want to accomplish:
All SFTP users belonging to the group sftponly should have their / be this path:
I want all users to have their own personal folder at
Only the user has read/write access to their own USERNAME folder.
All users can however read but not write to this folder:
I have made
Then I made a sub-dataset at
In the
The permissions looks like this:
Users and the sftponly group is created through FreeNAS UI. All the users belong to the group sftponly that I created. They are added as main group, but I have tried it as Aux group aswell.
Homedirectory is set as
Shell is set as
Initially I tried setting the shell as
Checking that all users belong to the correct group:
And finally on to the sshd_config. I first tried to edit the config via terminal at /etc/ssh/sshd_config
First of all this config change did not survive a reboot. Second, all the users is logged in to the / of the FreeNAS filesystem, and not into the specified ChrootDirectory path.
Therefor I looked at editing it in the UI instead. I went to Services -> SSH, selected configure, and under the "Extra options" i specified the following:
I can save this, but when I deactive SSH and activate it again (in the UI) a dialog box pops up with this message
According to the FreeNAS docs regarding 'Extra Options'
And according to the FreeBSD man-page sshd_config(5) regarding 'Match'
So as far as I can see, I have configured it correct. So I am at a complete loss as to why this is not working. I have tried rebooting the entire system aswell, to no avail.
I would like to add that as soon as I have this up and running I will deactivate password login, and use ed25519 keys for auth. In addition i have port 22 blocked on my router. Instead, clients will connect with a high numbered port that I have forwarded to 22 internally.
Any help here is highly appreciated!
Version:
FreeNAS 11.2 U6
I have tried my best to search the documentation, this forum and google in general. But I couldn't quite find out how to actually configure this on FreeNAS. I have followed the documentation on FreeNAS, aswell as the FreeBSD man-pages for sshd
I have three users and there will probably be more. Currently they are 'john', 'jane' and 'alex'
What I want to accomplish:
All SFTP users belonging to the group sftponly should have their / be this path:
/mnt/vol1/cloud-storage/chroot
I want all users to have their own personal folder at
/mnt/vol1/cloud-storage/chroot/USERNAME
Only the user has read/write access to their own USERNAME folder.
All users can however read but not write to this folder:
/mnt/vol1/cloud-storage/chroot/public
I have made
cloud-storage
as a dataset, and given user root rwx, and group wheel r-x access. As i understand it, when you want chroot on a folder, it has to be owned by user root, and it cannot be group writable. Here is the output:drwxr-x--- 3 root wheel 3 Feb 10 15:59 cloud-storage
Then I made a sub-dataset at
/mnt/vol1/cloud-storage
named chroot
and it has the same permissions:drwxr-x--- 5 root wheel 5 Feb 10 16:01 chroot
In the
chroot
dataset there is several sub-datasets owned by the particular user/mnt/vol1/cloud-storage/chroot/john
/mnt/vol1/cloud-storage/chroot/jane
/mnt/vol1/cloud-storage/chroot/alex
/mnt/vol1/cloud-storage/chroot/public
(viewable by all)The permissions looks like this:
Code:
ls -l /mnt/vol1/cloud-storage/chroot drw------- 2 alex sftponly 2 Feb 10 16:00 alex drw------- 2 john sftponly 2 Feb 10 16:00 john drw------- 2 jane sftponly 2 Feb 10 16:00 jane drwxr----- 2 root sftponly 2 Feb 10 16:01 public
Users and the sftponly group is created through FreeNAS UI. All the users belong to the group sftponly that I created. They are added as main group, but I have tried it as Aux group aswell.
Homedirectory is set as
/nonexistent
Shell is set as
/usr/local/bin/scponly
Initially I tried setting the shell as
/usr/sbin/nologin
, but this was just creating errors upon connection. Checking that all users belong to the correct group:
Code:
freenas# id alex uid=1000(alex) gid=1002(sftponly) groups=1002(sftponly) freenas# id jane uid=1002(jane) gid=1002(sftponly) groups=1002(sftponly) freenas# id john uid=1003(john) gid=1002(sftponly) groups=1002(sftponly)
And finally on to the sshd_config. I first tried to edit the config via terminal at /etc/ssh/sshd_config
Code:
freenas# nano /etc/ssh/sshd_config [...] #Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /mnt/vol1/cloud-storage/chroot ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
First of all this config change did not survive a reboot. Second, all the users is logged in to the / of the FreeNAS filesystem, and not into the specified ChrootDirectory path.
Therefor I looked at editing it in the UI instead. I went to Services -> SSH, selected configure, and under the "Extra options" i specified the following:
Code:
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /mnt/vol1/cloud-storage/chroot ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
I can save this, but when I deactive SSH and activate it again (in the UI) a dialog box pops up with this message
SSH service failed to start.
According to the FreeNAS docs regarding 'Extra Options'
Add any additional sshd_config(5) options not covered in this screen, one per line. These options are case-sensitive and misspellings can prevent the SSH service from starting.
And according to the FreeBSD man-page sshd_config(5) regarding 'Match'
Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
So as far as I can see, I have configured it correct. So I am at a complete loss as to why this is not working. I have tried rebooting the entire system aswell, to no avail.
I would like to add that as soon as I have this up and running I will deactivate password login, and use ed25519 keys for auth. In addition i have port 22 blocked on my router. Instead, clients will connect with a high numbered port that I have forwarded to 22 internally.
Any help here is highly appreciated!