View Single Post
  #1   (View Single Post)  
Old 25th June 2008
luismi luismi is offline
New User
 
Join Date: Jun 2008
Posts: 1
Question obsd 4.3 chrooted sftp permissions?

Hi there

I'm trying since a couple of days to setup a chrooted sftp access to a test obsd machine running apache. Ideally I would like to grant group access to update some web content but after checking all I found, I'm still unsuccessful

Here are the relevant details ...

Code:
# OpenBSD 4.3 GENERIC#0 i386

SFTPG=webgroup
SFTPU=webadmin
SFTPP=webadminpass
SFTPD=/var/www/htdocs/project

mkdir $SFTPD
groupadd -v $SFTPG
useradd -c "webadmin user" -d / -g $SFTPG -p $(encrypt -b 6 $SFTPP) -s /sbin/nologin $SFTPU

chown root:$SFTPG $SFTPD
chmod 0755 $SFTPD
Code:
# /etc/ssh/sshd_config

#Subsystem	sftp	/usr/libexec/sftp-server
Subsystem  sftp  internal-sftp

Match group $SFTPG
	ChrootDirectory $SFTPD
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp
Code:
kill -HUP `cat /var/run/sshd.pid`
So, with the above setup, I'm granted access as 'webadmin' but i don't have any write permissions.

Any attempt to change the group permissions, chmod g+w $SFTPD or similar, results in NOT being able to successfully start a session ...

Code:
psftp -v -l webadmin -pw webadminpass 192.168.1.50
Looking up host "192.168.1.50"
Connecting to 192.168.1.50 port 22
Server version: SSH-2.0-OpenSSH_4.8
We claim version: SSH-2.0-PuTTY_Release_0.60
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 b6:fb:6a:7b:ea:5e:1a:71:52:c9:a5:c5:d8:fa:61:27
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "webadmin".
Keyboard-interactive authentication refused
Sent password
Access granted
Server unexpectedly closed network connection
Fatal: Server unexpectedly closed network connection
I feel it must be something very obvious, but I just don't see it

Any comments/remarks are most welcome
Luismi

Last edited by luismi; 25th June 2008 at 07:15 PM.
Reply With Quote