# chrooted ssh-user: scp works but no sftp :-(

## derRichard

hi!

i patched openssh3.4 with the chroot-patch and it works fine.

but when i try to login via sftp(with kde's konqueror sftp://user@server) it wont work.

when i use winscp2 in windoof it works fine.

my jail:

al ssh_jail # tree

.

|-- bin

|   |-- cp

|   |-- groups

|   |-- id

|   |-- ls

|   |-- mkdir

|   |-- mv

|   |-- rm

|   |-- rmdir

|   |-- scp

|   |-- sftp

|   `-- sh

|-- dev

|   |-- null

|   |-- pts

|   |   |-- 1

|   |   `-- 3

|   |-- tty

|   |-- vc

|   |   |-- 1

|   |   `-- 2

|   `-- zero

|-- doofy

|   `-- New folder

|-- etc

|   |-- group

|   |-- ld.so.cache

|   |-- ld.so.preload

|   |-- nsswitch.conf

|   |-- passwd

|   `-- shadow

|-- lib

|   |-- ld-linux.so.2

|   |-- libc.so.6

|   |-- libcrypt.so.1

|   |-- libdl.so.2

|   |-- libncurses.so.5

|   |-- libnsl.so.1

|   |-- libnss_compat.so.2

|   |-- libpthread.so.0

|   |-- librt.so.1

|   `-- libutil.so.1

`-- usr

    |-- lib

    |   |-- libcrypto.so.0.9.6

    |   `-- libz.so.1

    `-- local

        `-- libexec

            `-- sftp-server

12 directories, 37 files

are some files missing?

cu

richard

----------

## kashani

Winscp will make several guesses as to where your sftp-server is. There are a few things you can try.

1. Double check your path

default location for sftp-server is /usr/lib/mics/sftp-server as specified in

/etc/ssh/sshd_config

Make sure this matches reality or change the path in sshd's config.

2. add a sym link

I ran into some wackyness using the scponly shell where users couldn't use sftp either. Added a sym link from the real sftp-server to /bin/sftp-server. I beleive it was some path problem, but was too lazy to track it down properly.

Hope this helps.

kashani

----------

## derRichard

hi!

it still won't work.

may you know an howto for a chrooted ssh-user...

cu

richard

----------

## kashani

Hmmm what exactly did you try?

The most likely problem is a path to the sftp-server doesn't exist in your chroot environment. I don't see a path to /usr/share/misc or where ever your sshd_config says it should be so it's the obvious culprit. You might want to read this web page for more background info. 

http://chrootssh.sourceforge.net/docs/chrootedsftp.html

kashani

----------

## derRichard

so, her you have many details...

first the jail:

```
.

|-- bin

|   |-- cp

|   |-- groups

|   |-- id

|   |-- ls

|   |-- mkdir

|   |-- mv

|   |-- rm

|   |-- rmdir

|   |-- scp

|   |-- sftp

|   |-- sftp-server -> /usr/local/libexec/sftp-server

|   `-- sh

|-- dev

|   |-- null

|   |-- pts

|   |   |-- 1

|   |   `-- 3

|   |-- tty

|   |-- vc

|   |   |-- 1

|   |   `-- 2

|   `-- zero

|-- etc

|   |-- group

|   |-- ld.so.cache

|   |-- ld.so.preload

|   |-- nsswitch.conf

|   `-- passwd

|-- lib

|   |-- ld-linux.so.2

|   |-- libc.so.6

|   |-- libcrypt.so.1

|   |-- libdl.so.2

|   |-- libncurses.so.5

|   |-- libnsl.so.1

|   |-- libnss_compat.so.2

|   |-- libpthread.so.0

|   |-- librt.so.1

|   `-- libutil.so.1

`-- usr

    |-- lib

    |   |-- libcrypto.so.0.9.6

    |   `-- libz.so.1

    `-- local

        `-- libexec

            `-- sftp-server

```

then my sshd_config:

```

richard@al etc $ cat sshd_config

#       $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/sopenssh/ossh/bin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /opt/sopenssh/ossh/etc/ssh_host_key

# HostKeys for protocol version 2

#HostKey /opt/sopenssh/ossh/etc/ssh_host_rsa_key

#HostKey /opt/sopenssh/ossh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 600

#PermitRootLogin yes

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used

#RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# For this to work you will also need host keys in /opt/sopenssh/ossh/etc/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt yes

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem       sftp    /opt/sopenssh/ossh/libexec/sftp-server

```

when i run 

```
sftp user@host
```

comes nothing after i enter the password.

may you see an error in my config...

cu richard

----------

## kashani

 *derRichard wrote:*   

> so, her you have many details...
> 
> # override default of no subsystems
> 
> Subsystem       sftp    /opt/sopenssh/ossh/libexec/sftp-server
> ...

 

You see that line. That's where your sftp-server is. Does that match anything in your jail. Not that I can see. I'd actually verify that your seft server is even at that location since that's about the wackiest place I've ever seen it installed. 

kashani

----------

## derRichard

now i set the path to the sftp-server to the jail but there is still the error...

```

Subsystem       sftp    /ssh_jail/usr/local/libexec/sftp-server

```

cu 

richard

----------

## derRichard

hi!

now it works, the error was in the /etc/passwd...

thx,

richard

----------

