Problem with setting SFTP server

Hello,

using this guide, I'm trying to set a specific folder restricted SFTP access on my OpenWrt device. I have no problems installing OpenSSH, configuring users etc., but restricting access to a specific folder using ChrootDirectory option does not work. After setting it, different SFTP clients return different error messages like

can't get real path of "/"

(WinSCP) or

"failed to resolve home directory"

(Putty).

I know that the problem lies probably in the folders access permissions. However, I've tried many combinations of the permissions (/home/, /home/user/ 0755, 0775, …) without success. On the internet, one can easily find many topics of people who have similar problems with OpenSSH and chroot. I've read and tried almost everything I could find, bud without any progress whatsoever.

Could someone who really got it working tell the exact steps how he did it?

Pretty decent guide... but the chown/chgrp/chmod parts are all over the place. I'd be surprised if anyone without some background could extrapolate.

Your intended result and current config could use clarification, in order to best facilitate response.

1 Like

My intended result is a working SFTP server on OpenWRT; users should have access limited to their home directory only. This should be achieved trough the ChrootDirectory option.

Well, my configuration… At first, I must say that Ive been trying different configurations for two days without success. It is complicated to put here everything I have tried. But the simplest configuration which should (and does not) work is:

OpenWrt 18.06.4

1.openssh-server and openssh-sftp-server packages installed, enabled and started; dropbear disabled

  1. Created user client1, home directory /home/client1 set, usermod -s /bin/false client1 set

  2. In /etc/ssh/sshd_config:

Port 22
Subsystem sftp internal-sftp
…
[rest at the end of the file]
Match User client1
ForceCommand internal-sftp
ChrootDirectory %h
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
AllowAgentForwarding no

  1. /etc/init.d/sshd restart

  2. chown root:root /home
    chown root:root /home/client1

  3. chmod 775 /home
    chmod 775 /home/client1

  4. Device reboot

All this with the result depicted in the first topic. Without the ChrootDirectory option it does work, but the user has unlimited access to the whole root directory. I have also tried setting chroot for a group (and assigning users to the group) with the exactly same result.

Many people have troubles with this as you could easily find using google.

1 Like

No one tried this?

/usr/sbin/sshd -d
sftp -vvv -P 22 -F /dev/null -o 'StrictHostKeyChecking no' -o 'UserKnownHostsFile=/dev/null' client1@10.2.3.11
1 Like