SFTP chroot jail

jimmy · November 14, 2016, 8:33am

Hi there

Has anyone been able to get SFTP with a chroot jail setup? I’ve been round and round with this trying different settings and can’t for the life of me get it to work.

I’ve setup user, permissions and sshd config file and my user can login but I’m getting a “Couldn’t canonicalize: No such file or directory” error on login. I can’t find any reference to this error on the web apart from in reference to a bug when trying to transfer a whole directory. There’s also nothing in the log (under /var/log/messages) to suggest anything is wrong.

For reference, these are the settings I used in sshd:

config match
option type Group
option match users
#option AllowAgentForwarding
option AllowTcpForwarding no
#option AuthorizedKeysFile
#option AuthorizedPrincipalsFile
#option Banner
option ChrootDirectory %h
option ForceCommand internal-sftp
#option GatewayPorts
#option AuthenticationMethods
#option GSSAPIAuthentication
#option HostbasedAuthentication
#option HostbasedUsesNameFromPacketOnly
#option KbdInteractiveAuthentication
#option KerberosAuthentication
#option MaxAuthTries
#option MaxSessions
#option PasswordAuthentication
#option PermitEmptyPasswords
#option PermitOpen
#option PermitRootLogin
option PermitTunnel no
#option PubkeyAuthentication yes
#option RhostsRSAAuthentication
#option RSAAuthentication
#option X11DisplayOffset
option X11Forwarding no
#option X11UseLocalHost

Also, in case it helps anyone, permissions need to be set so that root owns them and they are not writable for any other group (755) for the whole path (including root “/”) up to the chroot directory.

I’m thinking it might work in an LXC container but I’m not sure.

Can anyone help?

zidour · October 17, 2017, 5:09pm

I tried to setup sftp chroot for one user independently (without looking at your configuration options). My config is different than yours, but the differences are immaterial. I have ended up with the same result when connecting using sftp. User authenticates successfully, but the client exits with:

Couldn't canonicalize: No such file or directory
Need cwd

I triple-checked the whole configuration, the directory permissions up to the chroot directory and I am fairly confident it’s all OK.

Could someone from the Turris team please help? Thanks.

jimmy · October 17, 2017, 7:47pm

Yes, the only way I could get it to work is to set it up inside a container, which is really not the best solution. There must be an elegant way to make this work directly on the Omnia. In fact, there’s no reason it shouldn’t work.

pinky · December 3, 2018, 10:34pm

I have found work-around. Mounting /proc into target chroot directory (/home/some_user/proc) helps.
The troube has been traced using strace. Of course mounting /proc is probably not the best idea when You do chroot.

4411  open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_CLOEXEC|O_PATH) = 3
4411  readlink("/proc/self/fd/3", 0xbea5ccd0, 4095) = -1 ESRCH (No such process)
4411  close(3)