0

I'm creating users in my system, which are chroot jailed to their own home directory only using ‘/etc/ssh/sshd_config‘. It works fine, but I want to make it so ChrootDirectory will make their home directory to /home/%u/%u or /home/%u/public.

I have tried both, but it seems to always deny the connection when doing so and connecting using a FTP client as FlashFXP or FileZilla (/home/%u works).

Permissions are fine, as I am able to access the sub-directory when it's set to ‘ChrootDirectory /home/%u‘. What am I doing wrong then?

Improve this question
4
  • What connection? Commented Oct 7, 2017 at 14:16
  • 1
    "What am I doing wrong then?" For us to answer, you should add first to your question what you are doing. "I have tried both" doesn't tell us anything about what you did exactly. Commented Oct 7, 2017 at 14:16
  • I have changed the ‘ChrootDirectory‘ to both specified directories in ‘ssh/sshd_config‘, but then it refuses connections at an FTP client as FlashFXP. Commented Oct 7, 2017 at 14:19
  • 1
    In general you should add your answers to comments to the question if appropriate. Do not expect everyone to read both the question and all the comments. The comments' purpose is to improve the question. Commented Oct 7, 2017 at 15:35

1 Answer 1

Reset to default
1

man sshd_config:

ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.

You can use the home directory (but not a subdirectory) without tricks if you limit the users to SFTP:

In the special case when only sftp is used, not ssh nor scp, it is possible to use ChrootDirectory %h or ChrootDirectory /some/path/%u. The file system containing this directory must be mounted with options nodev and either nosuid or noexec. The owner of the directory should be the user. The ownership of the other components of the path must fulfill the usual conditions. No aditional files are required to be present in the directory.

Limitation to SFTP is possible with ForceCommand internal-sftp.

Improve this answer
5
  • The issue, is that if it's owned by root and not writable by anyone else, then the user can't modify files in the directory specified in ‘ChrootDirectory‘, but only within sub directories. How can this be fixed? Commented Oct 7, 2017 at 15:40
  • @Aradmey See the edit. Commented Oct 7, 2017 at 16:07
  • What if I use both SFTP and SSH? And by the way, I'm already using the internal-sftp. Commented Oct 7, 2017 at 18:16
  • @Aradmey I guess then SFTP will work and the SSH logins will fail. Commented Oct 7, 2017 at 18:30
  • I fixed my issue by creating a sub-directory owned by the user and used usermod -d /home/user/subdir to set it as the home directory. Commented Oct 7, 2017 at 18:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.