Can we Migrate an FTP repository into SFTP in Ubuntu? [duplicate]

ssh sftp chroot

Solution 1:

All this pain is thanks to several security issues as described here. Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writable
sudo chown bob:sftponly /home/bob/writable
sudo chmod ug+rwX /home/bob/writable

And bam, you can log in and write in /writable.

Solution 2:

To chroot an SFTP directory, you must

  1. Create a user and force root to be owner of it

    sudo mkdir /home/john
useradd -d /home/john -M -N -g users john
sudo chown root:root /home/john
sudo chmod 755 /home/john

  2. Change the subsystem location on /etc/ssh/sshd_config:

    #Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

    and create a user section at the end of the file (ssh can die respawning if placed after Subsystem line):

    Match User john
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

Solution 3:

I spent the whole day trying to get a network share on my raspberry. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share.

And here is how I got it working:

First I created a user:

sudo useradd netdrive

Then edited /etc/passwd and made sure it has /bin/false for the user so the line was:

netdrive:x:1001:1004:Net Drive User,,,:/home/netdrive:/bin/false

I edited /etc/ssh/sshd_config to include:

Match User netdrive
  ChrootDirectory /home/netdrive
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Changed home directory owner and permissions:

sudo chown root:root /home/netdrive/
sudo chmod 755 /home/netdrive/

Ok so after all this I was able to connect using sshfs but in read only mode. What I had to do to get a writable folder:

sudo mkdir -p /home/netdrive/home/netdrive/
sudo chown netdrive:netdrive /home/netdrive/home/netdrive/
sudo chmod 755 /home/netdrive/home/netdrive/

That was it, it worked without any further changes. Note that I have only writable permissions to the user, not to the group as many other solutions online. I was able to create/delete/edit/rename files/folders without problems.

When accessing using sshfs with the netdrive user because of chroot configuration I would only see things stored inside server's /home/netdrive/ directory, perfect. The repeated /home/netdrive/home/netdrive/ directory structure is what made it work for me in having a clean chroot ssh writable solution.

Now I am going to explain below the problems I had:

You should probably not execute the following paragraphs:

After looking at the above solutions (and many others on the net which even used acl (access control lists)) I was still not able to get it working because what I did next was:

The following did NOT work for me:

sudo mkdir /home/netdrive/writable/
sudo chown netdrive:netdrive /home/netdrive/writable/
sudo chmod 755 /home/netdrive/writable/

Because the netdrive user was still not able to write in that /home/netdrive/writable/ directory despite owning the folder and having the permissions. Then I did: sudo chmod 775 /home/netdrive/writable/ And now I could create a directory and delete it but I was not able to edit it because it was being created without group writable permissions. Here from what I saw on the net people use acl to fix it. But I was not happy with that since it I had to install acl, then configure mount points, etc. Also I have no idea why I would need group permission to write to a folder owned by the same user.

It seems that for some reason creating /home/netdrive/home/netdrive and giving ownership to the last netdrive folder I was able to make everything work without messing with group permissions.

Solution 4:

I followed this article but it didnt work. It started working after I made this change (suggested in above answers):

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Plus made the root ownable home directory under which I had user writable sub directory (as described above).

The new and useful thing I want to add with this answer is that you can simplify the configuration simply by specifying %h as user home directory:

ChrootDirectory %h

I have discovered it thanks to this link.

Related

Does installing mysql-server include mysql-client as well?
Is this case Active or Passive Voice?
Is "could use" rude?
Is there a phrase that is the opposite of "putting two and two together"? [closed]
"I belong to a greater stage"
Meaning of 'to make a screen to' (1791 US)
How did "Draw" come to mean pull, as in draw drapes?
Why do signs say "no concealable weapons allowed"?
Future Seen from the Past
Usage/meaning of "brattery"
"In general,...": do mathematicians use this phrase oppositely from everyone else?
What is the difference between 'decrease' and 'reduce' in the context set out below?