SSH users are able to see root directories

[roby84]

Hello,
I want to setup ssh chroot so that users cannot access all the root directories of Freenas (bin, var, etc...) when they connect via SFTP.

I followed these instructions http://doc.freenas.org/index.php/SSH about "Chrooting SFTP users" but it doesn't work, as they are still able to navigate up to the root of system.

I've read that all the directories of the user home directory path must be only root-owned, and I've seen that instead my /mnt folder is owned by the root user and a "1002" group, which I don't know what it is. I changed that 1002 to "wheel" but the problem still occurs, furthermore, after rebooting Freenas the group of /mnt is changed back to "1002". I don't know if I messed up something with permissions in the past or if I just have to configure something.
Could anybody help me to solve this?

Thank you.

Roberto

 

[William Grzybowski]

SFTP is completely different of SSH login... For SSH chroot you need a chroot environment with a tree (/bin, /usr, etc)

 

[roby84]

As what is written in that article, Freenas should force the use of SFTP when connecting via SSH, so it should work like that, otherwise why should have they written those things?

 

[William Grzybowski]

Again, for the last time, SFTP is completely different from SSH, google it!

 

[roby84]

I'm not saying they're not, I'm just saying that the article ( http://doc.freenas.org/index.php/SSH#Chrooting_SFTP_users ) says that Freenas allows to force users to be chrooted in their home directory. I followed those instructions, and connected to Freenas via SFTP with WinSCP, but the user is still able to navigate up to the root of the system.
So is it possible to do such a thing?

 

[roby84]

In the "Extra options" that the article says to put in SSH configuration there is a "Match Group sftp". Should this sftp group exist in freenas? Because I've checked it and there isn't in my system.

I've also read in this forum that other people have had the same problem of me:

http://forums.freenas.org/showthread.php?339-Chroot-for-SFTP&highlight=sftp+chroot
http://support.freenas.org/ticket/1490

Can anybody tell me if they have solved it?

Thank you.

 

[roby84]

Finally I got it to work.
The problem was that the user that connects to Freenas via SFTP MUST be a member of the group indicated in the "Match Group" option of the SSH configuration. But in the article about "Chrooting SFTP users" this is not specified as he just says to add "Match Group sftp" but he doesn't say that the user must be a member of the "sftp" group. I suggest this to be added in the article.
Bye bye.

Roberto

 

[OnecAgain]

That's true, you need to add his group.
In my configuration, the user can login and is forced to /mnt as home. So he cant go to root folders. BUT the user isn't forced to his home folder. Did I missed something?

Code:

Match User xyz 
     ChrootDirectory /mnt/Raid/xyz/
     ForceCommand internal-sftp
     AllowTcpForwarding no

 

[OnecAgain]

Ok, now it works. I don't know why now. Might i need a while...????

But the user cant write to this directory. For the mount point it is configured like the picture.



Ok, now I got it. *faceplam*

The dataset won't work alone. You need to create inside the dataset an folder an change the owner to your client user. The the dataset is root owned, but the folder inside is owned by the user.

 

[puppet]

Finally I got it to work.
The problem was that the user that connects to Freenas via SFTP MUST be a member of the group indicated in the "Match Group" option of the SSH configuration. But in the article about "Chrooting SFTP users" this is not specified as he just says to add "Match Group sftp" but he doesn't say that the user must be a member of the "sftp" group. I suggest this to be added in the article.
Bye bye.

Roberto

Thanks for your comments Roberto - We're not all experts, some of us are just trying to learn, little comments like yours have helped many!

 

[James]

The docs have been updated. Thanks for the report.

 

[mskenderian]

i followed all the instructions.

now user "test" cannot connect via SFTP.
i also get this message in the footer :

sshd[50517]: fatal: bad ownership or modes for chroot directory component "/mnt/"

not sure what happened here

i did the following

mkdir /mnt/Data/Users/test/test
chown test:test /mnt/Data/Users/test/test

any suggestions?

 

[SmallGuy]

any suggestions?

4 months later:
chmod 755 /mnt
I don't Know why, but you'll be in the same situation after a reboot.
Cheer.