0

Whilst creating a testuser, I was 99% sure that the user path would have been its home directory, and in theory nothing else could have been seen when connecting regardless.

I was wrong, so in the attempt to limit the SSH of a user to a certain folder and only that up I read some guidelines and SE answers (e.g. this one) to found most of them pointing to something like

Match User testuser
    ChrootDirectory /home/testuser
    ForceCommand internal-sftp

But when I attempted to SSH, an error message saying "broken pipe" is arise and I couldn't figure out to resolve.

Any idea where I can continue to read and/or setup?

Thanks

Andrea Moro
  • 151
  • 1
    "when I attempt to ssh", do you mean ssh command line? The example you linked is for sftp. chroot blocks the user from everything outside their home directory. It prevents them using any installed programs, even the command line (bash). – Philip Couling Feb 25 '19 at 16:40
  • Any article or something I can read with a configuration example @PhilipCouling – Andrea Moro Feb 26 '19 at 10:35
  • If you are convinced that chroot is the right option and not just setting file permissions the I would start by reading up on chroot here https://wiki.debian.org/chroot – Philip Couling Feb 26 '19 at 10:40
  • Remember that chroot is the most secure option, but it's secure in the same sense a building with no windows or doors is secure. It can be excessive in some situations. – Philip Couling Feb 26 '19 at 10:41
  • 1
    I'm not convinced about anything at this stage. I'm attempting to learn something, because this is ultimately not my area of expertise. So am playing with a dedicate VPS to see what I can learn out of it. – Andrea Moro Feb 26 '19 at 11:01

1 Answers1

2

Your problem likely is because user's home directory is writable for user in question (testuser). SSH does not allow chrooting into (user) writable directory and terminates the connection. You should have a log message in your server's logs.

sshd_config man page says about ChrootDirectory:

 ChrootDirectory
         Specifies the pathname of a directory to chroot(2) to after
         authentication.  At session startup sshd(8) checks that all
         components of the pathname are root-owned directories which are
         not writable by any other user or group. ...

Your options depend on your requirements. You could change the home directory owner to root and remove other write permissions and have the (writable) sub-directories owned by the user. For example:

mkdir /home/testuser_tmp
mv /home/testuser /home/testuser_tmp/
mv /home/testuser_tmp /testuser_tmp

If the user also has shell access, you probably should update the home directory entry in /etc/passwd to point to the writable sub-directory.

sebasth
  • 14,872
  • Hey @sebasth, thanks for your comment. I'm a bit of a newby here. Can you tell me a bit more on what chrooting is in this context? My requirements is to have my testused being able to either SSH or SFTP and not able to navigate everywhere in the server, because that's what it seems to happening now – Andrea Moro Feb 26 '19 at 08:47
  • ChrootDirectory in the configuration tells ssh to change the root directory to /home/testuser. The directory is presumably writable for user testuser. SSH daemon doesn't allow chrooting into a user-writable directory, hence ssh client fails to connect. – sebasth Feb 26 '19 at 08:50
  • But then SSH and SFTP thinks differently as they are two separate service. They only share the login method via the encrypted file on the server. So the above can work for SSH access, but what should I then do for this user to get access to the /var/www/html folder only? – Andrea Moro Feb 26 '19 at 10:38