Hello,
I have a task to create 3 users that must connect only via sftp on a machine, and must have only read access to a certain directory (thay shouldn;t be able to cd anywhere else)
The problem is that the directory where these users must have access to, it's already created/owned by another user/group which have xw rights there also.
My approach for this was to create the new users into the owner group of the respective directory. Then I configured in /etc/ssh/sshd_config for the users to be chrooted in that directory.
Like this :
the directory where the users have to 'caged' with only read permissions :
miemand1:/home # ls -ld /var/sppm/module/mnp
drwxr-xr-x 7 ologw sog 4096 Aug 1 09:47 /var/sppm/module/mnp
The user creation and chroot settings :
useradd -g sog -d /var/sppm/module/mnp -s /sbin/nologin user1
vi /etc/ssh/sshd_config
Match User user1
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
sshd -t
service sshd restart
I\m not sure exactly what ChrootDirectory %h does but I assume it 'cages' the respective user in his home directory.. ?
My problem is that once the 'ChrootDirectory %h' is in place my user cannot login :
[mnuser@NagiosPM ~]$ sftp -v user1@10.21.250.233
Connecting to 10.21.250.233...
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.21.250.233 [10.21.250.233] port 22.
debug1: Connection established.
debug1: identity file /box/monitoring/.ssh/id_rsa type 1
debug1: identity file /box/monitoring/.ssh/id_rsa-cert type -1
debug1: identity file /box/monitoring/.ssh/id_dsa type -1
debug1: identity file /box/monitoring/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.21.250.233' is known and matches the RSA host key.
debug1: Found key in /box/monitoring/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /box/monitoring/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /box/monitoring/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
Any ideas how should I approach this?