Locked myself out of server - I think

Question

In attempt to create a new user and restrict its access to SFTP, and access only to a specified direction, I found the question referenced in the link on the next line. Following the solution posted to this question (https://www.digitalocean.com/community/questions/how-do-i-restrict-a-user-to-a-specific-directory) I successfully created a new user and group which I want to restrict to a specified “home” directory.

I followed each step carefully, including the second part of Step 5, which states, “If that line does not exist, …” and since the line DOES exist, I did not include the below text in my SSHD config:

Subsystem sftp internal-sftp

Match group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp

I continued following the step-by-step and restarted SSH. I checked to make sure the user existed in the correct directory with ‘/etc/passwd’ and it all checked out. Created a new droplet for this user in my FTP program and it wouldn’t log in. Went back to Terminal and my connection (from sudoer) was broken. Login with new user didn’t work - as I had hoped; but then login from sudoer didn’t work either - connection refused. Login with root returned same results.

I am really hoping this is not as bad as it seems, and hoping someone here can help out.

Thanks! River

Jonathan Tittle · Answer

@theRiver

SFTP and FTP are entirely different protocols, so if you’re attempting to login using FTP without FTP setup, the login will fail. Likewise, the same would apply if you were trying to login using SFTP when FTP was the only method available.

When you try to login using SFTP, you must use the same port that you use to login to SSH. If you’ve not changed that port, it’d be 22 (as 22 is the default port for SSH).

Depending on what you’re using to login, you may also need to explicitly specific SFTP as the means of login. I know FileZilla differentiates between the two via a drop-down menu.

theRiver · Answer

Hi @jtittle

I managed to get back into my server via my sudoer. (Apparently it is just a temporary connection refusal for 15 minutes or so; perhaps a security protocol with my VPS provider.) Here is what my SSHD config file looks like now:

UsePAM yes

Subsystem sftp internal-sftp
    Match group sftpusers
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTCPForwarding no
    PasswordAuthentication yes

After writing and quitting, and restarting the SSH service, I was able to login with root via SFTP. I then tried to login with the user I had created in the group sftpusers, with the specified root directory entered into the appropriate field in my FTP program. The password was not accepted, so I tried removing the root directory. The connection was refused and now I am completely blocked from my server again - kicking me out of my sudo SSH connection in Terminal as well.

What have I done wrong?

Thanks, River

Jonathan Tittle · Answer

@theRiver

That’s actually one of the mini-guides I wrote, so I’ll do my best to help where possible :-).

The first thing to note is that spacing matters, so when you see:

Subsystem sftp internal-sftp
Match group sftpusers
    ChrootDirectory %h
    ForceCommand internal-sftp

You need to use the same spacing that I used in the guide. I use a standard tab, which is 4 spaces.

If you are using password-based authentication, I’d recommend using this instead (again, four spaces indent the second through sixth lines with four spaces).

Match group sftpusers
    Subsystem sftp internal-sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTCPForwarding no
    PasswordAuthentication yes

The above needs to go below:

UsePAM yes

So what you should end up with is something that looks like this:

Subsystem sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Match group sftpusers
    Subsystem sftp internal-sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTCPForwarding no
    PasswordAuthentication yes

Once the changes have been made, restart ssh using service ssh restart. You should be able to use password authentication on users that you’ve added to the sftpusers group as of now if the users have been configured correctly.

If you are trying to create an SFTP user who is also a sudo user (which I don’t recommend, for the sake of security), you need to append the user to the group instead of add them as is shown in that guide.

…

For example, let’s say we created a user named jtittle (my username here on the community)

useradd -d /home/jtittle jtittle

If I wanted to add that user to the sudo group, I’d append that group on so I don’t change the main group (which would be jtittle).

usermod -aG sudo jtittle

Now if I wanted to add that user to the sftpusers group as well, I’d append that group using -aG again.

usermod -aG sftpusers jtittle

…

I’m active here in the community, so don’t be afraid to @jtittle tag me if you see a post of mine and want to flag me with the question :-).

Related Questions

Question

Locked myself out of server - I think

Subsystem sftp internal-sftp

Want to learn more? Join the DigitalOcean Community!

Try DigitalOcean for free

Popular Topics

Questions

Events

Get involved