Ubuntu – Failed to SFTP connection

14.04permissionssftpssh

I want to configure user ftpuser to sftp for an existing apache owned directory /var/www/webiste

I added it as new user and made /var/www/webiste its home directory,

useradd -md /var/www/website -s /bin/bash ftpuser

in sshd_config:

Subsystem sftp internal-sftp

Match User ftpuser
    ChrootDirectory /var/www/website
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

The directory is owned now by root, and have acl permissions for www-data user:

# ls -ltr
   drwxrwx---+  5 root     root     4096 Nov  8  2012 website

# getfacl website/
   # file: website/
   # owner: root
   # group: root
   user::rwx
   user:www-data:rwx
   group::rwx
   group:www-data:rwx

But whenever i try to connect with SFTP, i get the following debug errors:

ftpuser@ftp_server's password: 
debug3: packet_send2: adding 32 (len 80 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to ftp_server ([ftp_server]:22).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cc -1)

debug1: fd 0 clearing O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
Connection to 104.237.139.76 closed by remote host.
Transferred: sent 2408, received 2020 bytes, in 0.0 seconds
Bytes per second: sent 627244.1, received 526176.5
debug1: Exit status -1
Couldn't read packet: Connection reset by peer

Any Ideas to troubleshoot that issue?

Edit:

from /var/log/authz:

fatal: bad ownership or modes for chroot directory component "/var/www/"

Best Answer

Using ChrootDirectory option in sshd_config requires some basic understanding of written text.

This is snapshot from manual page for sshd_config(5):

ChrootDirectory

Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

This is your error log:

fatal: bad ownership or modes for chroot directory component "/var/www/"

And when you add one and one you will understand, that not only /var/www/webiste needs to be owned by root, but also /var/www and /var directories, as mentioned many times around here.

The Fix

To get around this you need to revert this change. Luckily, you only need to change one line to do that.

In sshkey.h, around line 50-ish a constant named SSH_RSA_MINIMUM_MODULUS_SIZE is defined. The line should look something like this (arrow points towards line):

  # define EC_POINT void
  #endif /* WITH_OPENSSL */

> #define SSH_RSA_MINIMUM_MODULUS_SIZE  1024
  #define SSH_KEY_MAX_SIGN_DATA_SIZE    (1 << 20)

  struct sshbuf;

All you need to do is change the value of this constant to something lower like 768 (what it was in version 7.5)

I successfully implemented this fix in the latest version (7.9p1) but in theory you could do it to any version between that and 7.6 inclusive.

Best Answer

Related Solutions

Ubuntu – Sftp connection failed, strange error messsage

Ubuntu – SSH Invalid key length on embedded device

The Fix

Related Question