0

I use proFTPD on debian 8. For some reasons i need users that can only access to their documentroot. I already configured this and it works but only when i connect in FTP.

If the user connect on SFTP, he will be able to access at the entire FTP.

How can i do ?

EDIT :

I found how to correct my problem.

1) I stoped proFTD because it cause problems. I swich on the default SSH server od my debian server

2) All of the folders are owned by root:root and with 755 perms. In my case, it was /, /var, /var/www, and /var/www/dev

3) The SSHD config was :

Subsystem sftp internal-sftp Match Group dev ChrootDirectory /var/www/dev ForceCommand internal-sftp AllowTcpForwarding no

Matancy
  • 105

2 Answers2

0

In order to make a secure connection to a FTP server, you can use any application that support SFTP. SFTP (commonly referred to as Secure File Transfer Protocol ) can perform secure file transfers.

Sam Mollaei
  • 1
  • Yes, i do that but how can i desactivate SFTP on proFTPD ? – Matancy Mar 08 '20 at 16:50
  • imho proftp is delivering ftps and not sftp, this are 2 different protocol handlings the first works with ftp over ssl/tls and the other on 22 ssh – djdomi Mar 15 '20 at 22:02
0

If you want to restrict some SFTP users to a subdirectory of your filesystem, you can use the ChrootDirectory option in your OpenSSH server config.

Let's assume you want restrict the users of group ftp-users to access only the /var/ftp/%username% directory (where %username% is their username). Then you could use:

Subsystem sftp internal-sftp
Match group ftp-users
    ChrootDirectory /var/ftp/%u

In the ChrootDirectory option you can use %u for the username, %U for the user id or %h for the user's home directory.

Piotr P. Karwasz
  • 5,918
  • Thanks for you reply. But in my case, it doesn't work. This is my config :

    Match Group dev ChrootDirectory /var/www/dev ForceCommand internal-sftp AllowTcpForwarding no

     – Matancy Mar 08 '20 at 21:09
  • The config looks alright. Did you restart the ssh server? What are the logs saying? – Piotr P. Karwasz Mar 08 '20 at 21:15
  • Yes i restarted the server at every modification. I look at /var/log and didn't found auth.log It is normal ? – Matancy Mar 08 '20 at 21:18
  • It depends on /etc/rsyslog.conf, but usually facility auth and authpriv are logged to /var/log/auth.log. You can also try journalctl -u ssh. Regarding the config: only the first matching Match stanza is applied, maybe you have several. – Piotr P. Karwasz Mar 08 '20 at 21:22
  • Hello, I have tried your configuration but it doesn"t work. In my logs there is : fatal: bad ownership or modes for chroot directory component "/var/www/dev/" But i gave root:root to the folder and 777 for the perms. – Matancy Mar 14 '20 at 09:45
  • The permissions are the problem: all components of /var/www/dev (i.e. /, /var, /var/www and /var/www/dev) must be owned by root and not writable by anyone else (so 755). This guarantees that the user can not escape the chroot. Of course you want your users to be able to write to /var/www/dev, so check this question about sftp permissions. – Piotr P. Karwasz Mar 14 '20 at 14:36
  • Thanks for your reply. But all of these files are already owned by root:root and with 755 perms. I juste have this error : mars 15 14:29:00 VPS sshd[2686]: Accepted password for dev_cpm_connect from XX.XX.XX.XX port XXXXX ssh2 mars 15 14:29:00 VPS sshd[2686]: pam_unix(sshd:session): session opened for user dev_cpm_connect by (uid=0) mars 15 14:29:00 VPS sshd[2688]: subsystem request for sftp by user dev_cpm_connect failed, subsystem not found mars 15 14:29:00 VPS sshd[2686]: pam_unix(sshd:session): session closed for user dev_cpm_connect – Matancy Mar 15 '20 at 13:31
  • Check whether you have the Subsystem option in your configuration. internal-sftp is absent on old releases of ssh (cf. this answer by Martin Prikryl), but it should be present on Debian 8. – Piotr P. Karwasz Mar 15 '20 at 16:17
  • Thanks for your help ! Now it's work ! – Matancy Mar 15 '20 at 20:27