Provide details and share your research! There may be various ways to accomplish this, but a couple of suggestions are: ii. The username should already be logged at the start and end of the session, and the process id consistent throughout, so some post-processing into a new file might be an option. What am I doing wrong? Match Group ForceCommand internal-sftp -u 73 Or, add the following two lines at the end of the file to configure the sftp umask for a single user. Also locally on server with commandline: sftp -v user localhost cannot connect, same message as filezilla. Logging in chroot When using chroot, there are basically two possibilities. If it is not practical to have the various home directories owned by root, a compromise can be made. As such, permissions can generally be tightened but not loosened.
After fixing above two, I can remote ssh login, however, that ssh session will be closed immediately once I login. The ssh daemon will refuse login attempts with the following error if the write permission is granted. Rather than commenting everything out which is not compatible, simply move any sections which includes a Match directive to the end of the config file. Most administrators govern the chroot on a per-user or per-group basis. This would be really cool for a user to be able to do without the intervention of the system manager.
This may not be as straight forward because in most cases home directories aren't owned by root and allow writing by at least one user. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share. When I came accross the solution I thought it was too good to be true. The chroot and all its components must be root-owned directories that are not writable by any other user or group. I get the same error as the initial question above. See the batchfile option -b in for details.
Best regards, Don hi Don, thanks for your thorough answer! To apply the new configuration you will need to: systemctl restart ssh. So for most clients, if you want looser permissions on the uploaded file, change them on the client side before uploading. Also I have no idea why I would need group permission to write to a folder owned by the same user. I've created a user called bob and added him to a new group called sftponly. Your chrooted space cannot send the syslog events to the syslog daemon, because it exists outside the chrooted environment. The permissions of the home directory need to be modified for the chroot jail to work.
Comment: I believe the sftp server is started by root when you connect via sftp. See the section for more. So the user can not create new directories or files directly directly in the home directory. Not the answer you're looking for? How to Create an Isolated Directory for sftp Files This procedure configures an sftponly directory that you create specifically for sftp transfers. Your users will be jailed in a specific directory which they will not be able to break out of. The weird thing now is: how is it possible it worked before the server restart. Preparing the Account A new sftp only account can now be created and prepared.
An option around this might be using rsyslog or syslog-ng, but unfortunately, I haven't had time to investigate either of these yet. Once logged in they can only ever see their own files. Could anyone tell me how to set the umaskfor a single sftp user? To allow the user to upload content via sftp, a subdirectory should be created for this purpose. It can prohibit the users from accomplishing other important things there. The amount of bandwidth consumed by the transfers can be reduced using compression.
As described above, the user needs to be assigned to the group used in the Match block. The user itself has no write permission to his home directory. The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. Choose the settings for further restriction of the account based on your needs. It worked for me by adding in specifics for the user I was adding: Match User ftpusername and then ChrootDirectory %h and then ForceCommand internal-sftp. The following creates the mount point, mountpoint, in the home directory if none exists.
Mind the spaces or lack thereof. Because I did not change any configuration options? Earlier versions can do the same thing through the use of a helper script, but this complicates chrooted directories very much. Hi Stoyan, Unfortunately, you are being bitten by the challenges of a chrooted environment. This group can then be assigned to the users who should be restricted to sftp only. That is unless the client does not forward the permissions, in which case only the server's umask will be used. Without ownership restrictions, it is quite feasible to escape the chroot.
But there are edge cases, where there are differences. This depends on the client itself. I was having a very similar error, and fixing my directory permissions fixed the issue for me. While that is very comforting, it also poses some challenges. We are using red-hat gui so its a little different. In these kinds of directories, it may be useful to give different levels of access to more than just one group. But I was not happy with that since it I had to install acl, then configure mount points, etc.