8

I have installed vsftpd utility on Fedora 10 to restrict users to their (chroot) home directories. It works fine when I use ftp prompt to connect. However it does not work when i connect using sftp.

What changes are required in order to achieve same functionality with sftp?

jirib
  • 1,138
  • 1
  • 7
  • 13
Mangesh Jogade
  • 195
  • 1
  • 1
  • 6
  • Fedora 10 is _very_ old, better update to current Fedora 18. If Fedora's short lifetime is a problem to you, check out CentOS , a Red Hat Enterrise clone. – vonbrand Feb 12 '13 at 13:22
  • Actually this fedora is a testing server. I am trying to implement a POC over there. – Mangesh Jogade Feb 12 '13 at 13:30
  • @Mangesh Jogade: *please* fix your question. You are mixing concepts and you are mixing terms that have only remotely to do with each other. Your comment on my answer was clearer than your actual question. – 0xC0000022L Feb 12 '13 at 16:10

2 Answers2

10

vsftpd is a FTP server implementing the FTP protocol. Some extensions for encryption are available for FTP, but they are completely different from SFTP which is a subsystem of SSH.

If you want to use sftp, you need to configure a ssh server and enable the sftp subsystem (see the sshd_config man page for details). It's also possible to configure sftp with chrooted user areas.

Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
10

In addition to Stephane's answer I'd like to point out that there is FTPS, too. FTPS is the classic FTP protocol over an SSL-secured connection. If you meant this you'd have to adjust your question of course, but it would be a completely different question then.

There are two variations of FTPS, one were the control channel is secured (credentials etc) and another where also the data channel is secured. However, as Stephane already pointed out, the protocols are different, including capabilities and commands.

Concerning your comment. You can configure in /etc/ssh/sshd_config to allow based on certain criteria only a certain directory structure. Here's an example that will confine all members of the group sftponly to the /home folder. Adjust to your needs:

Match group sftponly
    ChrootDirectory /home
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    PasswordAuthentication no

As you can see it also sets other options. Strictly speaking for the functionality you ask you'd only need this:

Match group sftponly
    ChrootDirectory /home
    ForceCommand internal-sftp

But of course these options prevent users from (ab)using other SSH facilities.

Consult man sshd_config for more details in particular on the Match directive. You can also match per-user, per-host and per (remote) address.

0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
  • 1
    My requirement is that user should ONLY be able to log in through SFTP.So i need kind of restricted SFTP environment for those users.but again they should be able to create and get files from their home directories. – Mangesh Jogade Feb 12 '13 at 15:57
  • 2
    @Mangesh Jogade: added to my answer. But *please* fix your question. There is *no* such thing as SFTPD and I have no idea what you mean by "SFTP prompt". There is an `sftp` subsystem to the `sshd`, that's all. – 0xC0000022L Feb 12 '13 at 16:04
  • i have changed sftpd to vsftpd in my question. and yes i am referring to sftp subsystem only – Mangesh Jogade Feb 13 '13 at 06:37
  • @Mangesh Jogade: so what is unclear about my answer? Any questions? It's of course possible that the version of OpenSSH that comes with Fedora 10 is too old, but you can always build a newer one, of course. – 0xC0000022L Feb 13 '13 at 16:49
  • I tried doing modifications as per your suggestion, however when i write "ChrootDirectory /home" in ssd_config for any user, that user is not able to log in through sftp .server returns 'Couldn't read packet: Connection reset by peer' not sure why this happens – Mangesh Jogade Feb 14 '13 at 06:50
  • 1
    And you have provided no debug output, neither from ssh/sftp client and sshd server. Ah... I can guest... homedir in /etc/passwd is /home/foobar and under /home there is no /home/home/foobar... Magic ball over. – jirib Nov 07 '13 at 14:04
  • Can public key authentication be used for such a user ? – Shenal Silva Jul 15 '16 at 15:41
  • @ShenalSilva: absolutely, yes. – 0xC0000022L Jul 18 '16 at 14:32
  • @JiriXichtkniha: although this can be countered by bind-mounting all that's needed into place. I am not 100% certain at which point `sshd` would read from the `passwd` database and at what point it would `chroot`. However, it stands to reason that it would do the `chroot` call only after all else is in place. – 0xC0000022L Jul 18 '16 at 14:34