#StackBounty: #amazon-ec2 #amazon-web-services #sftp #chroot #vsftpd Enabling ChrootDirectory breaks my SFTP on AWS, gives error for wr…

Bounty: 50

I’m trying to set up an SFTP server on AWS that multiple customers can use to upload data securely. It is important that they are not able to see the data of any other customer, and to do that I need to jail the directories with ChrootDirectory in

My sshd_config has the following:

Subsystem sftp internal-sftp
Match Group sftponly
        ChrootDirectory /home/chroot/ftptest/
        AllowTcpForwarding no
        ForceCommand internal-sftp

If I comment out the ChrootDirectory line everything works fine, except that you can see all the files on the system. I configured everything based off of the instructions here using vsftpd. I and am using ssh keys to control access to each of the customer accounts, as per Amazon’s instructions. I am using the Amazon AMI.

Edit: I changed the chroot directory to /home/chroot/ftptest/ and created directories with the following permissions:

ls -ld / /home /home/chroot /home/chroot/ftptest/
dr-xr-xr-x 25 root    root    4096 Feb 23 03:28 /
drwxr-xr-x  6 root    root    4096 Feb 23 20:26 /home
drwx--x--x  3 root    root    4096 Feb 23 20:27 /home/chroot
drwxr-xr-x  2 ftptest ftptest 4096 Feb 23 20:27 /home/chroot/ftptest/

It’s still not working. In /var/log/secure I see

Authentication refused: bad ownership or modes for directory /home/ftptest

even though /home/ftptest isn’t the directory I am trying to chroot to. Why would it be throwing an error for that directory? Could this be an issue with the ~/.ssh directory?

Get this bounty!!!

Leave a Reply