Public key authorization on sftp chroot directory

Question

I want to add public key authorization to my sftp chroot directory but I allways get:

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/test/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
Couldn't read packet: Connection reset by peer

Chroot works because authorization with password is possible. I have other account on this host without chroot and it works with this key. I tried many times, but still it doesn't work.

On server in auth.log there is only: Connection closed by xxx [preauth]

This is my directory:

ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x  3 root root 4096 May  3 16:55 .
drwxr-xr-x 23 root root 4096 May  3 14:46 ..
drwxr-xr-x  3 root root 4096 May  3 16:45 backup

/sftp/backup:
total 12
drwxr-xr-x 3 root     root      4096 May  3 16:45 .
drwxr-xr-x 3 root     root      4096 May  3 16:55 ..
drwxr-xr-x 3 backup sftpusers 4096 May  3 16:55 incoming

/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May  3 16:55 .
drwxr-xr-x 3 root     root      4096 May  3 16:45 ..
drwx------ 2 backup sftpusers 4096 May  3 21:06 .ssh

/sftp/backup/incoming/.ssh:
total 12
drwx------ 2 backup sftpusers 4096 May  3 21:06 .
drwxr-xr-x 3 backup sftpusers 4096 May  3 16:55 ..
-rw------- 1 backup sftpusers  391 May  3 21:06 authorized_keys

My user:

backup:x:1002:1003::/incoming:/usr/sbin/nologin

My ssh config:

Match Group sftpusers
  ChrootDirectory /sftp/%u
  AuthorizedKeysFile  /sftp/backup/incoming/.ssh/authorized_keys
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Please help.

score 24 · Answer 1 · answered Jul 17 '15 at 13:37

I attempted this solution (putting AuthorizedKeysFile into the Match block) and sshd -T complains:

/etc/ssh/sshd_config line 153: Directive 'AuthorizedKeysFile' is not allowed within a Match block

(RHEL 6.6, openssh 5.3p1-104)

SOLUTION: The authorized_keys file (and the user's .ssh directory) must exist in the home directory location defined by /etc/passwd, outside of the chroot directory.

For example (using the OP usernames/uids):
/etc/passwd:

backup:x:1002:1003::/home/backup:/sbin/nologin

Create directory /home/backup, owned by root
Create directory /home/backup/.ssh, change ownership to backup, chmod 700 /home/backup/.ssh
Copy the authorized_keys file to /home/backup/.ssh, chmod 400 authorized_keys

ls -laR /home

/home:
total 12
drwxr-xr-x 3 root     root      4096 Jul  9 12:25 .
drwxr-xr-x 3 root     root      4096 Sep 22 2014  ..
drwxr-xr-x 3 root     root      4096 Jul  9 12:25 backup

/home/backup:
total 12
drwxr-xr-x 3 root     root      4096 Jul  9 12:25 .
drwxr-xr-x 3 root     root      4096 Jul  9 12:25 ..
drwx------ 3 backup   sftpusers 4096 Jul  9 12:28 .ssh

/home/backup/.ssh:
total 12
drwx------ 3 backup   sftpusers 4096 Jul  9 12:28 .
drwxr-xr-x 3 root     root      4096 Jul  9 12:25 ..
-r-------- 3 backup   sftpusers 391  Jul  9 12:29 authorized_keys

/etc/ssh/sshd_config becomes:

Match Group sftpusers
  ChrootDirectory /sftp/%u
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

The chroot directory structure is then:

ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x  3 root root 4096 May  3 16:55 .
drwxr-xr-x 23 root root 4096 May  3 14:46 ..
drwxr-xr-x  3 root root 4096 May  3 16:45 backup

/sftp/backup:
total 12
drwxr-xr-x 3 root     root      4096 May  3 16:45 .
drwxr-xr-x 3 root     root      4096 May  3 16:55 ..
drwxr-xr-x 3 backup   sftpusers 4096 May  3 16:55 incoming
drwxr-xr-x 3 root     root      4096 May  3 16:55 home

/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May  3 16:55 .
drwxr-xr-x 3 root     root      4096 May  3 16:45 ..

/sftp/backup/home:
total 12
drwxr-xr-x 3 root     root      4096 May  3 16:55 .
drwxr-xr-x 3 root     root      4096 May  3 16:45 ..
drwx------ 2 backup   sftpusers 4096 May  3 21:06 backup

/sftp/backup/home/backup:
total 12
drwx------ 3 backup   sftpusers 4096 May  3 21:06 .
drwxr-xr-x 3 root     root      4096 May  3 16:55 ..

Note: /sftp/backup/home/backup is empty, it's only there to provide a path that will look like the non-chroot /home/backup -- the .ssh directory is /home/backup/.ssh not /sftp/backup/home/backup/.ssh

It's worth mentioning that SELinux can bite you on Redhat distros. I found I needed to run `restorecon -R /home/backup/.ssh` in order to fix an 'Permission denied' error I was seeing in the sshd debug output. — IanB, Oct 06 '15 at 04:17

score 13 · Answer 2 · answered May 03 '14 at 22:42

13

Problem resolved.

I have changed it: AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys to: AuthorizedKeysFile /sftp/%u/.ssh/authorized_keys

answered May 03 '14 at 22:42

user3461823

1,303
2
11
17

score 1 · Answer 3 · answered Jan 10 '20 at 06:34

Stephen Buchanan's answer (which works around RHEL6's inability to set AuthorizedKeys in a Match block) splits keys into /home and contents into /sftp, but it is possible to keep everything together under /home instead.

You do this by creating the user's chroot under their home directory. For example, in sshd_config, set the chroot to /home/<user>/sftp:

Match Group sftphome
  ChrootDirectory /home/%u/sftp
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

As before, ensure /home/<user> is owned by root and place .ssh keys in /home/<user>/.ssh such that the user has read permissions. Now create /home/<user>/sftp/home/<user>, with all directories owned by root except for the last <user>, which should be owned by the user. Finally, ensure the user's home directory is /home/<user> in /etc/passwd.

Now when the user logs in, the ssh key is looked up in /home/<user>/.ssh as per /etc/passwd, a chroot is done into /home/<user>/sftp, and then a cd is done into /home/<user> inside the chroot. In other words, the user's remote working directory will appear as /home/<user>.

You can optionally bind mount directories under /home/<user>/sftp/home/<user>, or anywhere under /home/<user>/sftp (which is / from the user's point of view).

It's possible to omit the sftp/ directory, create /home/<user>/home/<user> and chroot into /home/<user>, but this can be confusing as the .ssh directory and any other files will show up for the user in their /. The sftp/ directory keeps things clean.

Note: In practice, if a user's home directory is missing, sftp will normally just cd into /. You could abuse this property by not creating /home/<user> inside the chroot, so the user starts in / instead of /home/<user>. This is a bit fragile, but could come in handy.

score 0 · Answer 4 · answered Jul 13 '22 at 18:23

0

You need to add AuthorizedKeysFile /sftp/%u/.ssh/authorized_keys in your /etc/ssh/sshd_config file. It is better if you added it in the match block.

answered Jul 13 '22 at 18:23

Pedro Fernandez

1

Public key authorization on sftp chroot directory

4 Answers4