I’m trying to set up an SFTP server on AWS that multiple customers can use to upload data securely. It is important that they are not able to see the data of any other customer, and to do that I need to jail the directories with ChrootDirectory in
My sshd_config has the following:
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /home/chroot/ftptest/ AllowTcpForwarding no ForceCommand internal-sftp
If I comment out the ChrootDirectory line everything works fine, except that you can see all the files on the system. I configured everything based off of the instructions here using vsftpd. I and am using ssh keys to control access to each of the customer accounts, as per Amazon’s instructions. I am using the Amazon AMI.
Edit: I changed the chroot directory to /home/chroot/ftptest/ and created directories with the following permissions:
ls -ld / /home /home/chroot /home/chroot/ftptest/ dr-xr-xr-x 25 root root 4096 Feb 23 03:28 / drwxr-xr-x 6 root root 4096 Feb 23 20:26 /home drwx--x--x 3 root root 4096 Feb 23 20:27 /home/chroot drwxr-xr-x 2 ftptest ftptest 4096 Feb 23 20:27 /home/chroot/ftptest/
It’s still not working. In /var/log/secure I see
Authentication refused: bad ownership or modes for directory /home/ftptest
even though /home/ftptest isn’t the directory I am trying to chroot to. Why would it be throwing an error for that directory? Could this be an issue with the ~/.ssh directory?