Can we Migrate an FTP repository into SFTP in Ubuntu? [duplicate]
Solution 1:
All this pain is thanks to several security issues as described here. Basically the chroot directory has to be owned by root
and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.
sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writable
sudo chown bob:sftponly /home/bob/writable
sudo chmod ug+rwX /home/bob/writable
And bam, you can log in and write in /writable
.
Solution 2:
To chroot an SFTP directory, you must
-
Create a user and force root to be owner of it
sudo mkdir /home/john useradd -d /home/john -M -N -g users john sudo chown root:root /home/john sudo chmod 755 /home/john
-
Change the subsystem location on
/etc/ssh/sshd_config
:#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp
and create a user section at the end of the file (ssh can die respawning if placed after Subsystem line):
Match User john ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
Solution 3:
I spent the whole day trying to get a network share on my raspberry. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share.
And here is how I got it working:
First I created a user:
sudo useradd netdrive
Then edited /etc/passwd
and made sure it has /bin/false
for the user so the line was:
netdrive:x:1001:1004:Net Drive User,,,:/home/netdrive:/bin/false
I edited /etc/ssh/sshd_config
to include:
Match User netdrive
ChrootDirectory /home/netdrive
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Changed home directory owner and permissions:
sudo chown root:root /home/netdrive/
sudo chmod 755 /home/netdrive/
Ok so after all this I was able to connect using sshfs
but in read only mode. What I had to do to get a writable folder:
sudo mkdir -p /home/netdrive/home/netdrive/
sudo chown netdrive:netdrive /home/netdrive/home/netdrive/
sudo chmod 755 /home/netdrive/home/netdrive/
That was it, it worked without any further changes. Note that I have only writable permissions to the user, not to the group as many other solutions online. I was able to create/delete/edit/rename files/folders without problems.
When accessing using sshfs
with the netdrive user because of chroot configuration I would only see things stored inside server's /home/netdrive/
directory, perfect. The repeated /home/netdrive/home/netdrive/
directory structure is what made it work for me in having a clean chroot ssh writable solution.
Now I am going to explain below the problems I had:
You should probably not execute the following paragraphs:
After looking at the above solutions (and many others on the net which even used acl (access control lists)) I was still not able to get it working because what I did next was:
The following did NOT work for me:
sudo mkdir /home/netdrive/writable/
sudo chown netdrive:netdrive /home/netdrive/writable/
sudo chmod 755 /home/netdrive/writable/
Because the netdrive user was still not able to write in that /home/netdrive/writable/
directory despite owning the folder and having the permissions. Then I did:
sudo chmod 775 /home/netdrive/writable/
And now I could create a directory and delete it but I was not able to edit it because it was being created without group writable permissions. Here from what I saw on the net people use acl
to fix it. But I was not happy with that since it I had to install acl
, then configure mount points, etc. Also I have no idea why I would need group permission to write to a folder owned by the same user.
It seems that for some reason creating /home/netdrive/home/netdrive
and giving ownership to the last netdrive
folder I was able to make everything work without messing with group permissions.
Solution 4:
I followed this article but it didnt work. It started working after I made this change (suggested in above answers):
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Plus made the root ownable home directory under which I had user writable sub directory (as described above).
The new and useful thing I want to add with this answer is that you can simplify the configuration simply by specifying %h as user home directory:
ChrootDirectory %h
I have discovered it thanks to this link.