Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th June 2008
luismi luismi is offline
New User
Join Date: Jun 2008
Posts: 1
Question obsd 4.3 chrooted sftp permissions?

Hi there

I'm trying since a couple of days to setup a chrooted sftp access to a test obsd machine running apache. Ideally I would like to grant group access to update some web content but after checking all I found, I'm still unsuccessful

Here are the relevant details ...

# OpenBSD 4.3 GENERIC#0 i386


mkdir $SFTPD
groupadd -v $SFTPG
useradd -c "webadmin user" -d / -g $SFTPG -p $(encrypt -b 6 $SFTPP) -s /sbin/nologin $SFTPU

chown root:$SFTPG $SFTPD
chmod 0755 $SFTPD
# /etc/ssh/sshd_config

#Subsystem	sftp	/usr/libexec/sftp-server
Subsystem  sftp  internal-sftp

Match group $SFTPG
	ChrootDirectory $SFTPD
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp
kill -HUP `cat /var/run/sshd.pid`
So, with the above setup, I'm granted access as 'webadmin' but i don't have any write permissions.

Any attempt to change the group permissions, chmod g+w $SFTPD or similar, results in NOT being able to successfully start a session ...

psftp -v -l webadmin -pw webadminpass
Looking up host ""
Connecting to port 22
Server version: SSH-2.0-OpenSSH_4.8
We claim version: SSH-2.0-PuTTY_Release_0.60
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 b6:fb:6a:7b:ea:5e:1a:71:52:c9:a5:c5:d8:fa:61:27
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "webadmin".
Keyboard-interactive authentication refused
Sent password
Access granted
Server unexpectedly closed network connection
Fatal: Server unexpectedly closed network connection
I feel it must be something very obvious, but I just don't see it

Any comments/remarks are most welcome

Last edited by luismi; 25th June 2008 at 07:15 PM.
Reply With Quote
  #2   (View Single Post)  
Old 26th June 2008
d0z3r d0z3r is offline
New User
Join Date: Jun 2008
Posts: 2

Try to take a look to rksh. It's really functional, even if is not a real chrooted environment
Reply With Quote
  #3   (View Single Post)  
Old 26th June 2008
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,132

The typical problem with a chroot environment is that you need to provide a copy of the necessary configuration into the chroot.

Config files in "/etc" which normally are accessible by a non-chrooted daemon, need to brought into the chroot environment when you run a chrooted version.
In case you haven't seen it, http://www.openbsd.org/faq/faq10.html#httpdchroot has an example.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 11th July 2008
jon4t2 jon4t2 is offline
New User
Join Date: Jul 2008
Posts: 2
Default sftp chroot NOT httpd chroot


I'm experiencing the exact problem as luismi. Standard recipe for granting sftp only access to a directory via "internal-sftp" in OpenSSH (sshd_config mods) lets the user access the directory, but with no write privileges. chmod of directory breaks the ability to login to the directory. (sftp seems happy with 755 on my box.)

As I understand the documentation for OpenBSD 4.3, chroot for sftp is independent of chroot for httpd (/var/www). So, I'd be surprised if adding files to ChrootDirectory grants the desired write privileges. The ability to break sftp by chmod-ing ChrootDirectory makes me think that sshd_config may require additional mods.


Reply With Quote
  #5   (View Single Post)  
Old 12th July 2008
jon4t2 jon4t2 is offline
New User
Join Date: Jul 2008
Posts: 2
Default Everything's working properly

Hello Again,

A bit more digging on the Web found the answer:

Since the sftponly user (foo) does not own the chroot'ed directory (/home/foo), the user does not have write privileges. So, everything's working properly.

The fix? Create a new directory inside the chroot'ed directory (/home/foo/writeable) and chown it to the sftponly user (chown foo:sftponly /home/foo/writeable).

More thorough descriptions of chroot'ing internal-sftp in OpenSSH can be found at:


The novice (i.e. me) should be careful though, as these are Linux instructions.

I found that using "usermod -d" and "usermod -s" to change the user profile broke the login. However, creating an sftponly group works quite well. With a "Match Group sftponly" instruction in sshd_config, "usermod -g" easily adds a new user to the sftponly group.

Script wizards are encouraged to port the scripts presented in the Gentoo Forum listed above.


Reply With Quote

chmod, chroot, obsd 4.3, permissions, sftp

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openBSD4.4 + Chrooted apache1.3 + php5 + sessions wolf3d OpenBSD Packages and Ports 1 2nd July 2009 11:07 AM
Sftp Bus error: 10 (core dumped) smokem FreeBSD General 0 21st April 2009 12:45 PM
List of users connected by sftp. amscotti OpenBSD General 7 1st April 2009 07:26 PM
PureFTP + TLS / or SFTP plexter OpenBSD Security 11 6th October 2008 10:32 PM
build a sftp server milo974 OpenBSD General 9 26th September 2008 11:09 AM

All times are GMT. The time now is 07:20 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick