I have been trying to set up a SFTP server with multiple users chrooting into their home directories. I followed the advice on this guide (Archive.org link) and then executed the following commands on the user's directories
chown root:root /home/user/
chmod 755 /home/user/
There is an additional folder in every user's home directory called public
, which is owned by its user so as to allow them to create directories and upload and remove files as needed. (This was advised in the guide I mentioned earlier)
Now when I execute sftp -P 435 user@localhost
, I get this error:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
How do I proceed from here? The ultimate idea is to have each user on some other machine use FileZilla to log into their chrooted home directories and then be able to upload directories and files. All this in SFTP (because it's more secure)
That article also describes how to get a chrooted shell access, but since you just want a sftp-only account, just follow these instructions:
Edit
/etc/ssh/sshd_config
and add the lines:Find the line
UsePAM yes
and comment it:Without disabling this, my SSH server would crash on reloading/ restarting. Since I do not need fancy functions of PAM, this is fine.
For extra security, restrict the users who can login. If you forget to add SFTP users to the
sftp
group, you give them free shell access. Not a nice scenario. Because SSH cannot combineAllowUsers
andAllowGroups
(a login has to fulfill both rules), you've to create an additional group, sayssh-users
. Add the users who are allowed to login (youruser
below) over SSH:And add the next line to
/etc/ssh/sshd_config
:Now proceed with modifying the permissions of the users home directory to allow for chrooting (example user
sftp-user
):Create a directory in which
sftp-user
is free to put any files in it:Should you run in any problems, check
/var/log/syslog
and/var/log/auth.log
for details. Runssh
orsftp
with the-vvv
option for debugging messages. Forsftp
, the option must appear before the host as insftp -vvv user@host
.Just wanted to add that folder permissions up the directory tree need to be set a certain way.
Source
I was having a very similar error, and fixing my directory permissions fixed the issue for me.
I'm using Ubuntu LTS 12.04 and after a lot of pain, this worked for me.
My Settings for
/etc/ssh/sshd_config
create group sftp:
groupadd sftp
Create user directly with new sftp group attached:
sudo useradd -d /ftpusers/HomeFolder -m UserName -g sftp -s /bin/false
set permissions for use with ssh for sftp:
chown root:root HomeFolder
chmod 755 HomeFolder
restart service:
service ssh restart
Note, the home folder for the new sftp user has to be given root owner.
Here is a step by step guide to allow:
First, edit your /etc/ssh/sshd_config file:
Scroll down and modify:
and add this at the bottom:
Press Ctrl-X to exit and save.
Now add the user:
Now add the groups and disable ssh:
Now set permissions:
All this is while logged in as a root user (ec2-user on Amazon Linux AMIs)
Also note when adding the Match directive to the config file, that any directives not relevant to what you are matching may stop working. Rather than commenting everything out which is not compatible, simply move any sections which includes a Match directive to the end of the config file.
Furthermore, permissions probably need to be set to 755 on the chroot directory and any parent directories, and the owner to root:root. Personally, I set up the chroot directory sshd_config to be %h, the user's home directory, and then set their home directory to where I want it to be, such as /var/www/examplewebsite.com. Some may prefer to configure a chroot home directory with a static portion followed by the username, such as /var/www/%u, however this requires ensuring your user's chroot dir matches its username, of course.
To troubleshoot connection issues, stop the ssh service, being sure to open an SSH session or two first for testing, and then start the daemon interactively in debug mode to examine the connection debug info, as this may help you identify any problems, and search up how to fix them.
Commands: service ssh stop ; /usr/sbin/sshd -d
Be sure to start ssh up again after you're done! Command: service ssh start