Can we Migrate an FTP repository into SFTP in Ubuntu? [duplicate]

Solution 1:

All this pain is thanks to several security issues as described here. Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writable
sudo chown bob:sftponly /home/bob/writable
sudo chmod ug+rwX /home/bob/writable

And bam, you can log in and write in /writable.

Solution 2:

To chroot an SFTP directory, you must

  1. Create a user and force root to be owner of it

    sudo mkdir /home/john
    useradd -d /home/john -M -N -g users john
    sudo chown root:root /home/john
    sudo chmod 755 /home/john
    
  2. Change the subsystem location on /etc/ssh/sshd_config:

    #Subsystem sftp /usr/lib/openssh/sftp-server
    Subsystem sftp internal-sftp
    

    and create a user section at the end of the file (ssh can die respawning if placed after Subsystem line):

    Match User john
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTCPForwarding no
        X11Forwarding no
    

Solution 3:

I spent the whole day trying to get a network share on my raspberry. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share.

And here is how I got it working:

First I created a user:

sudo useradd netdrive

Then edited /etc/passwd and made sure it has /bin/false for the user so the line was:

netdrive:x:1001:1004:Net Drive User,,,:/home/netdrive:/bin/false

I edited /etc/ssh/sshd_config to include:

Match User netdrive
  ChrootDirectory /home/netdrive
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Changed home directory owner and permissions:

sudo chown root:root /home/netdrive/
sudo chmod 755 /home/netdrive/

Ok so after all this I was able to connect using sshfs but in read only mode. What I had to do to get a writable folder:

sudo mkdir -p /home/netdrive/home/netdrive/
sudo chown netdrive:netdrive /home/netdrive/home/netdrive/
sudo chmod 755 /home/netdrive/home/netdrive/

That was it, it worked without any further changes. Note that I have only writable permissions to the user, not to the group as many other solutions online. I was able to create/delete/edit/rename files/folders without problems.

When accessing using sshfs with the netdrive user because of chroot configuration I would only see things stored inside server's /home/netdrive/ directory, perfect. The repeated /home/netdrive/home/netdrive/ directory structure is what made it work for me in having a clean chroot ssh writable solution.

Now I am going to explain below the problems I had:

You should probably not execute the following paragraphs:

After looking at the above solutions (and many others on the net which even used acl (access control lists)) I was still not able to get it working because what I did next was:

The following did NOT work for me:

sudo mkdir /home/netdrive/writable/
sudo chown netdrive:netdrive /home/netdrive/writable/
sudo chmod 755 /home/netdrive/writable/

Because the netdrive user was still not able to write in that /home/netdrive/writable/ directory despite owning the folder and having the permissions. Then I did: sudo chmod 775 /home/netdrive/writable/ And now I could create a directory and delete it but I was not able to edit it because it was being created without group writable permissions. Here from what I saw on the net people use acl to fix it. But I was not happy with that since it I had to install acl, then configure mount points, etc. Also I have no idea why I would need group permission to write to a folder owned by the same user.

It seems that for some reason creating /home/netdrive/home/netdrive and giving ownership to the last netdrive folder I was able to make everything work without messing with group permissions.

Solution 4:

I followed this article but it didnt work. It started working after I made this change (suggested in above answers):

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Plus made the root ownable home directory under which I had user writable sub directory (as described above).

The new and useful thing I want to add with this answer is that you can simplify the configuration simply by specifying %h as user home directory:

ChrootDirectory %h

I have discovered it thanks to this link.