OT: chroot sftp centos 7

Fairlight fairlite at fairlite.com
Tue Mar 26 18:11:08 PDT 2019 

This is way outside the scope of filePro.  For that matter, so was the mail
stuff last week.

At this point, you've come to the filePro list for a good percentage of
what should be Linux 101 and done within the scope of a CentOS community,
asking us to help set up your new box.  While it's been a form of cheap
amusement to watch you go on this journey, that benefit has outstayed its
welcome, at least for me.  In fact, it's annoying the hell out of me,
because you should be either researching your problems, or paying someone
to do it.  As someone who does systems administration for a living, I
can say I'm quite irked on principle to see you repeatedly trying to get
something for nothing in terms of systems administration.  It's like going
to a professional car mechanics' retreat without being a professional
mechanic yourself, and trying to get your car fixed for free.  Insulting
doesn't quite do it justice.

At the -very- least, you should be leaning on a community actually focused
on the platform at hand.

Respectfully, I would suggest you either hire someone who can get it
done, or find a community better suited to handling the *nix-specific
issues you keep running into which are wholly unrelated to filePro
itself.  You may use filePro, but these aren't even filePro integration
problems/issues/questions, at this point.  These are *nix subsystem and
functionality issues, full stop.

What you've been doing is the equivalent of someone coming in here and
asking how to configure IIS on Windows.  It makes about as much sense, and
it's really not the venue.

If this is for a hobby, figure it out.  If this is for business, it should
be paid work for someone, past a certain point.  You've really been pushing
it lately.

And for the record, stock sftp on CentOS 7 works just fine.  I've got it
working on many boxes, and there are no issues as long as permissions and
groups are correct.

/home/ should be root:root 0755.

/home/frontier/ should be root:root 0755.

Under there, you should have subdirectories for file storage and retrieval.
Assume a common idiom of inbound and outbound:

/home/frontier/inbound/ frontier:users 0755
/home/frontier/outbound/ frontier:users 0755

You need those subdirectories, because frontier will not be able to write
directly to a directory owned by root with 0755, which is mandatory.

You do -not- actually need the sftponly group on the subdirectories.  That
group serves only as a trigger for sftp jailing.

The user -must- have sftponly as their primary group.

This is the sshd_config section which works for me:

Match group sftponly
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        ChrootDirectory %h

I wonder if you have /home/ set incorrectly.  Aside from ChrootDirectory
expando differences, the rest of what you have looks correct.

I can, however, confirm that sftp works just fine on CentOS 7 with
openssh-7.4p1-16.el7.x86_64.  I'm looking directly at a working one which
has been verified and is in production.

mark->



On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via Filepro-list thus spoke:
> Is anyone aware of anything changing as to how to chroot sftp users on
> centos 7?
> I have everything setup identically on new server and keep getting
> fatal: bad ownership or modes for chroot di
> rectory component "/" [postauth]
> 
> Every thing I know root has to own the directory in full path up until
> chroot directory
> 
> The only way I can even get a sftpuser to connect is if I make them the own
> of the /home directory
> 
> Old server:   this is in  /home
> 
> drwxr-xr-x  3 root    root    4096 Oct 16 11:15 frontier
> 
> Then, if you go to /home/frontier:
> 
> drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45 attachments
> 
> sshd_config:
> 
> Match Group sftponly
>         ChrootDirectory /home/%u
>         ForceCommand internal-sftp
>         X11Forwarding no
>         AllowTcpForwarding no
> 
> New server:   this is in /home
> 
> drwxr-xr-x   4 root    root      38 Mar 26 18:17 frontier
> 
> Then, if you do to /home/frontier:
> 
> drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05 attachments
> 
> sshd_config has:
> 
> Match Group sftponly
>         ChrootDirectory /home/%u
>         ForceCommand internal-sftp
>         X11Forwarding no
>         AllowTcpForwarding no
> 
> Only thing different on serves are the UID/GIDs
> 
> Old server for frontier:
> 
> id frontier
> 
> uid=1014(frontier) gid=502(sftponly) groups=502(sftponly)
> 
> New server:
> 
> id frontier
> 
> uid=2043(frontier) gid=1503(sftponly) groups=1503(sftponly)
> 
> Old server, /etc/passwd
>   frontier:x:1014:502::/attachments:/bin/false
> 
> New server, /etc/passwd
>   frontier:x:2043:1503::/attachments:/bin/false
> 
> I even tried creating a new group, new user, etc - it's typically straight
> forward, but I can't get any combination to work that others swear works
> for them.  This isn't normally difficult but I've been working on this for
> 4 hours and can't get the right combination to seem to work
> 
> Has anyone successfully gotten this to work on centos 7?
> 
> thanks
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html>
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
> 

-- 
Audio panton, cogito singularis.

More information about the Filepro-list mailing list