Tag Archives: jail

/home/jail is not a safe jail, check ownership and permissions.

My jailed user wasn’t connecting to the server via SFTP….
Had to see what was going on!!

root@digitalwhores:/home# tail -f /var/log/auth.log

auth.log looked like this…

Jul 23 19:47:55 digitalwhores systemd-logind[580]: New session 1307 of user sftpuser.
Jul 23 19:47:55 digitalwhores jk_chrootsh[18961]: path /home/jail is group writable
Jul 23 19:47:55 digitalwhores jk_chrootsh[18961]: path /home/jail is writable for others
Jul 23 19:47:55 digitalwhores jk_chrootsh[18961]: abort, /home/jail is not a safe jail, check ownership and permissions.
I had to 0755 the folder /home/jail/
Even that way user wasn’t being able to connect… what was auth.log saying?
Jul 23 19:50:07 digitalwhores jk_chrootsh[19034]: abort, path /home/jail/./home/sftpu is group writable, set option 'relax_home_group_permissions' to relax this check
I had to 0755 the folder /home/jail/home/sftpu
Recommend folders with 0755.
chmod 0755 /home
chmod 0755 /home/jail
chmod 0755 /home/jail/home
chmod 0755 /home/jail/home/**USERS**

 

 

SFTP – Restrain/Lock/Jail the user to their home

Create the user and their home
cd /home
mkdir username
useradd -d /home/username -M -N -g users username
sudo chown root:root /home/username
sudo chmod 755 /home/username
Edit /etc/ssh/sshd_config
nano /etc/ssh/sshd_config

Search for “lib/openssh/sftp-server” and make it like

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Add the following lines bellow it…

Match User username
    ChrootDirectory /home/username
    ForceCommand internal-sftp
Restart SSH
service ssh restart

More readings
http://www.techrepublic.com/blog/linux-and-open-source/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/
http://superuser.com/questions/370953/how-to-not-allow-user-outside-of-home-directory-with-sftp