Solved sftp(sshd) in Jail, Failed to chroot directory listing

Hello,

I have some strange behavior with sftp (sshd), maybe after some update I loosed access to chroot directory.
My system is:
Code:
# uname -a
FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE r354233 GENERIC  arm64

And my part of sshd_conf is:
Code:
# override default of no subsystems
#Subsystem    sftp    /usr/libexec/sftp-server

Subsystem    sftp    internal-sftp -l DEBUG -f AUTH

# Example of overriding settings on a per-user basis
Match Group user
    ChrootDirectory /home/user/ftp
    ForceCommand internal-sftp -l DEBUG -f AUTH
    X11Forwarding no
    AllowTcpForwarding no
    PermitTunnel no
    PermitTTY no

And my home folder:
Code:
# ls -l /home/
drwxr-xr-x  3 root  wheel  512 Sep 27 15:07 user

# ls -l /home/user/
drwxr-xr-x  4 root     wheel     512 Nov  1  2019 ftp

Before chroot working well...

But now when I connect to my server via sftp I can't list directory
In FileZilla I have this message:
Code:
Connecting to 172.16.0.1...
Status:    Connected to 172.16.0.1
Status:    Retrieving directory listing...
Status:    Listing directory /
Error:    Connection timed out after 20 seconds of inactivity
Error:    Failed to retrieve directory listing

I can connect but can't list the directory.

In log I can see only:

Code:
Changed root directory to "/home/user/ftp"
debug1: rekey after 4294967296 blocks
debug1: rekey after 4294967296 blocks
debug1: ssh_packet_set_postauth: called
debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch
debug1: server_input_channel_open: ctype session rchan 256 win 2147483647 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request simple@putty.projects.tartarus.org reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req simple@putty.projects.tartarus.org
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
debug1: subsystem: internal-sftp
Starting session: forced-command (config) 'internal-sftp -l DEBUG -f AUTH' for user from 192.168.0.106 port 34978 id 0

If I comment "ChrootDirectory /home/user/ftp" parameter, SFTP server start to work good.

Best regards,
 
I think you are using the ChrootDirectory wrong, at least the following described in sshd_config(5) is NOT true in your case:
Code:
     ChrootDirectory
             Specifies the pathname of a directory to chroot(2) to after
             authentication.  At session startup sshd(8) checks that all
             components of the pathname are root-owned directories which are
             not writable by any other user or group.

Re-reading though, I see that those are owned by root, so it must be something else, possibly:
Code:
             For file transfer sessions using
             SFTP no additional configuration of the environment is necessary
             if the in-process sftp-server is used, though sessions which use
             logging may require /dev/log inside the chroot directory on some
             operating systems (see sftp-server(8) for details).
 
Code:
# pwd
/home
# ls -l
drwxr-xr-x  3 user  user  512 Sep 27 15:07 user
In this case I have message:
Code:
ftp sshd[53583]: fatal: bad ownership or modes for chroot directory component "/home/user/"
 
Yes, I had this.
Code:
ls -l
drwxr-xr-x  4 root     user   512 Nov  1  2019 ftp

The strange things that everything worked before...
 
It's the same behavior, I can't list the directory.
But only if option ChrootDirectory is enabled.

Code:
$ sftp user@172.16.0.1
Password:
Connected to user@172.16.0.1.
sftp> dir

pwd command it's working
Code:
$ sftp user@172.16.0.1
Password:
Connected to user@172.16.0.1.
sftp> pwd
Remote working directory: /
sftp> ls
 
Is this inside a jail?
I've tested your configuration inside a VM on 12.1-RELEASE-p10 and it's working as expected.

sshd_config(5)

ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after au-
thentication. At session startup sshd(8) checks that all compo-
nents of the pathname are root-owned directories which are not
writable by any other user or group. After the chroot, sshd(8)
changes the working directory to the user's home directory. Ar-
guments to ChrootDirectory accept the tokens described in the
TOKENS section.

The ChrootDirectory must contain the necessary files and directo-
ries to support the user's session. For an interactive session
this requires at least a shell, typically sh(1), and basic /dev
nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
and tty(4) devices. For file transfer sessions using SFTP no ad-
ditional configuration of the environment is necessary if the in-
process sftp-server is used, though sessions which use logging
may require /dev/log inside the chroot directory on some operat-
ing systems (see sftp-server(8) for details).

For safety, it is very important that the directory hierarchy be
prevented from modification by other processes on the system (es-
pecially those outside the jail). Misconfiguration can lead to
unsafe environments which sshd(8) cannot detect.

The default is none, indicating not to chroot(2).
 
Yes, it's inside a Jail.
Of course I have pf configured on the host system.
But this is not issue of pf, I can connect via sftp without chroot options.

Yes, the configuration it is correct, it's working before.
But now I have some problem this chroot, and I can't understand why.

Also, I don't see any messages in the log files
 
Just for the test create the same configuration on the host. I suspect that the issue is in the jail as it's missing some of the /dev access
 
Today i was able to reboot the server and all jail.
Still have the same issue.
I'm pretty sure, sftp will work well on the host. But I'll try...
 
I'm re-installed the jail and sftp(sshd) start to work well this the same configuration.
Thanks for your help.
 
Back
Top