Ubuntu – Failed to SFTP connection


I want to configure user ftpuser to sftp for an existing apache owned directory /var/www/webiste

I added it as new user and made /var/www/webiste its home directory,

useradd -md /var/www/website -s /bin/bash ftpuser

in sshd_config:

Subsystem sftp internal-sftp

Match User ftpuser
    ChrootDirectory /var/www/website
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

The directory is owned now by root, and have acl permissions for www-data user:

# ls -ltr
   drwxrwx---+  5 root     root     4096 Nov  8  2012 website

# getfacl website/
   # file: website/
   # owner: root
   # group: root

But whenever i try to connect with SFTP, i get the following debug errors:

ftpuser@ftp_server's password: 
debug3: packet_send2: adding 32 (len 80 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to ftp_server ([ftp_server]:22).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cc -1)

debug1: fd 0 clearing O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
Connection to closed by remote host.
Transferred: sent 2408, received 2020 bytes, in 0.0 seconds
Bytes per second: sent 627244.1, received 526176.5
debug1: Exit status -1
Couldn't read packet: Connection reset by peer

Any Ideas to troubleshoot that issue?


from /var/log/authz:

fatal: bad ownership or modes for chroot directory component "/var/www/"

Best Answer

Using ChrootDirectory option in sshd_config requires some basic understanding of written text.

This is snapshot from manual page for sshd_config(5):


Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

This is your error log:

fatal: bad ownership or modes for chroot directory component "/var/www/"

And when you add one and one you will understand, that not only /var/www/webiste needs to be owned by root, but also /var/www and /var directories, as mentioned many times around here.

Related Question