Forward SFTP user to chroot subdirectory after authentication

ssh file-permissions sftp

I've set up a SFTP server using OpenSSH, everything works fine and the users I created can connect.

After authentication, the users find themselves directly inside /chroot, a directory they are not allowed to write into. So I've put a /subdirectory into /chroot they have write access to (inspired by this blog post) which works fine as well.

However, due to the nature of the project I'm working on, users should find themselves directly in a folder they are allowed to write into after authentication. Forwarding them into the /chroot/subdirectory might be the best solution but I've found no resource explaining how to achieve that.

Can it be done? How?


Solution 1:

[EDIT] Yes I believe it is possible, but I also believe not with openssh:

Here is how I chroot sftp using openssh:

I put sftp users in a special group sftponly which is identified in the sshd_config file. I make sure sftp users have no shell (so they can't log in with ssh) and use the .%h environment variable to force them into a sftp chroot subdir named after their home directory using the ChrootDirectory directive. Other environment variables interpreted by sshd_config are documented in the sshd_conf man page like so:

The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.

Here is a copy of my notes for achieving this on OpenBSD, if you use a different system the .%h environment variable may of course differ:

# 1. Create the sftp jail directories
# These directory permissions work with this /etc/ssh/sshd_config:
# drwxr-xr-x  4 root    wheel  512 May 14 16:20 /home/sftproot
# drwxr-xr-x  3 root  wheel  512 May 14 16:21 /home/sftproot/home
# drwxr-xr-x  3 root  wheel  512 May 14 16:37 /home/sftproot/home/User01
# drwxr-xr-x  3 User01  sftponly  512 May 14 16:39 /home/sftproot/home/User01/upload
# drwxr-xr-x  3 root  wheel  512 May 14 16:37 /home/sftproot/home/User02
# drwxr-xr-x  3 User02  sftponly  512 May 14 16:39 /home/sftproot/home/User02/upload

# 2. Make sure /etc/ssh/sshd_config jails /home/sftproot/.%h

# 3. Create a group whose members will only be allowed sftp access
# groupadd sftponly

# 4. Create User01 + User02 whom will only get sftp access
# useradd -s /sbin/nologin -m -G sftponly User01
# useradd -s /sbin/nologin -m -G sftponly User02

# 5. In /etc/ssh/sshd_config enable use of chroot(internal-sftp) then force chroot dirs per user:
# override default of no subsystems
# Subsystem     sftp    /usr/libexec/sftp-server
# Subsystem       sftp    internal-sftp
# Rules for sftponly members
# Match group sftponly
#         ChrootDirectory /home/sftproot/.%h
#         X11Forwarding no
#         AllowTcpForwarding no
#        ForceCommand internal-sftp

# [Comment] Make sure /etc/ssh/sshd_config jails /home/sftproot/.%h
# Which will translate .%h to /home/$username

# [Comment] The sftp users will not be able to log in outside of sftp (as they have no shell).
# As they sftp in they will land in the /home/sftproot/home/Userxx directory which
# will be named "./" and where they have no write access.
# However the directory ./upload is read/writable.

[EDIT part 2] However, the sshd_conf man page also specifies that:

ChrootDirectory

Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

So the chroot directory path, including the part specified by variable expansion, is expected and tested for by sshd to be owned and writable exclusively by root. Therefore, a user of an openssh sftp chrooted service needs writable subdirectories to be able to write to the home directory.

I believe this is not a requirement with all ssh servers however. We also use Tectia where I observe that users are able to write to their respective root directories. However we run it only where Windows is a requirement, so regrettably I cannot readily test the corresponding *nix configuration. The Tectia sftp chrooting support page does not explicitly specify that the user home needs to be owned by root in a Unix environment. I would therefore guess that with Tectia this is not a requirement but that the ownership of a chrooted user home rootdir may be that of the actual user.

Solution 2:

ChrootDirectory /upload/%u

ForceCommand internal-sftp -d data

This will put the sftp in /upload/UserXX/data directory. The data directory is owned and read/writable by the UserXX

Related

Workaround for Tomcat 9.0.46 (bug 65308) - NPE in JNDIRealm
GRANT USAGE ON SCHEMA doesn't do anything
Which certificate does kubelet use?
nginx: ability to log if client supports TLS SNI?
SetroubleshootPrivileged.py using 95% CPU | Centos 8 server
Making an `ip rule` higher priority than `local`
What is the difference between a proxy server and a gateway server?
kubernetes mariadb-galera cluster - bitnami helm chart - Readiness probe failed
SSH - Permission denied (publickey)
What's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in `auditctl`?
How do I log console output from a XEN VM?
Wordpress + nginx infinite redirect loop