VSFTPD chroot jail funtion not working

**gflorko** · 07-07-2011

There is a great deal of confusion on the net regarding this. Here's the scoop: Your /etc/vsftpd.conf sets the parameters for regular FTP, NOT for SFTP. SFTP is a subsystem of SSH and does not use the settings in /etc/vsftpd.conf. The vsftpd daemon doesn't even have to be running to do SFTP. If you enable "chroot_local_user=YES" in /etc/vsftpd.conf, that will jail users coming in via regular FTP, but NOT SFTP. To do chroot in SFTP, the settings are in /etc/ssh/sshd_config and it depends on what version you have. I've read that you need OpenSSH 5 or newer for it to work with SFTP.

**amithad** · 07-18-2011

Dear All,

Thank you so much for allocating your time for my problem. Finally I was able to get the thing working using just FTP but not via SFTP. I installed system-config-vsftpd GUI tool to my server and enable "enable list of allowed/denied users and deny user in the list (otherwise allow)" options in the access control section of FTP Administration GUI. The I enable the options " allow local users, change root directory for the users to their home directory and Chrootjail-place only users from list below to 'chroot-jail' in users section of FTP Administration GUI. in the chroot_list file I put the users that allow to browse the file hierarchy. It worked fine

I'm trying how I can figure out SFTP access also according to your valuable suggestions. I did this since I had a deadline. So again thank you all for your wonderful help

Best Regards

amitha

N.B. you have to save your changes twice and reload the changes in FTP administration GUI

**gflorko** · 07-24-2011

I have a follow up for my previous post: If you use SSH to configure chroot jail, you need SSH version 5 or higher.
The directory to which you chroot the user (and I think, any directories above that) must be owned by root and not be writable by the user. Set the directory to 755 and make sure it's owned by root. Then, create a directory one level down from there with write permissions for the user. The configuration is in either /etc/ssh/sshd_config or /etc/sshd_config depending on what version of Unix you are using. In that file, you want:

Subsystem sftp internal-sftp

and

Match User username
ChrootDirectory /directoryname
ForceCommand internal-sftp

There may be other requirements for your version of Linux. I'm using SuSE SLES 10, SP 4.

Originally Posted by amithad

Dear All,

Thank you so much for allocating your time for my problem. Finally I was able to get the thing working using just FTP but not via SFTP. I installed system-config-vsftpd GUI tool to my server and enable "enable list of allowed/denied users and deny user in the list (otherwise allow)" options in the access control section of FTP Administration GUI. The I enable the options " allow local users, change root directory for the users to their home directory and Chrootjail-place only users from list below to 'chroot-jail' in users section of FTP Administration GUI. in the chroot_list file I put the users that allow to browse the file hierarchy. It worked fine

I'm trying how I can figure out SFTP access also according to your valuable suggestions. I did this since I had a deadline. So again thank you all for your wonderful help

Best Regards

amitha

N.B. you have to save your changes twice and reload the changes in FTP administration GUI

**amithad** · 07-28-2011

Hi gflorko,

Followed what you have mentioned, but when connecting using WinScp gives an authentication failure

thanks amitha

**gflorko** · 07-28-2011

Can you connect from a Unix command prompt?

sftp username@localhost?

In WinSCP, are you sure you're using protocol SFTP? Not SCP?

Greg

Originally Posted by amithad

Hi gflorko,

Followed what you have mentioned, but when connecting using WinScp gives an authentication failure

thanks amitha

**amithad** · 07-29-2011

Originally Posted by gflorko

Can you connect from a Unix command prompt?

sftp username@localhost?

In WinSCP, are you sure you're using protocol SFTP? Not SCP?

Greg

Yes I use SFTP function not the SCP function. Tried login locally it fails. Gives the error message " Write failed: broken pipe" error.

**gflorko** · 07-29-2011

Are you getting that broken pipe when trying:

ftp username@localhost

from a Unix command prompt?

Greg

Originally Posted by amithad

Yes I use SFTP function not the SCP function. Tried login locally it fails. Gives the error message " Write failed: broken pipe" error.

**amithad** · 07-29-2011

Originally Posted by gflorko

Are you getting that broken pipe when trying:

ftp username@localhost

from a Unix command prompt?

Greg

yes Greg I'm getting it while login locally using command prompt

Thanks

Amitha

**gflorko** · 07-29-2011

Well, if you're getting that from a Unix command prompt, you're getting ahead of yourself trying to use WinSCP. You need to get it working in Unix first before trying it from any WinPC client. I would ensure that the directory to which you chroot has Unix permissions of 755 and is owned by root. Also, check to see which version of SSH you have. You need 5 or higher for chroot to work.

Originally Posted by amithad

yes Greg I'm getting it while login locally using command prompt

Thanks

Amitha

**amithad** · 08-01-2011

Dear Greg,

I'm using Fedora 13 as my server OS, OpenSSH_5.4pl for my ssh server version.

when I type ls -l command for the users home directory which resides in /tmp/amitha2 folder permissions are as follows

drwxrwxr-x. 2 amitha amitha 4096 Jul 28 14:26 amitha2

Thread Tools

Display

Posting Permissions