# SFTP chrooted does not work

## drseergio

Had been using a long time, but now reinstalled and followed the guide on the wiki [url]http://gentoo-wiki.com/HOWTO_SFTP_Server_(chrooted,_without_shell)[/url]. Installed rssh shell and set user's account to this shell. This is rssh config:

```

# This is the default rssh config file

# set the log facility.  "LOG_USER" and "user" are equivalent.

logfacility = LOG_USER

# Leave these all commented out to make the default action for rssh to lock

# users out completely...

allowsftp

umask = 022

# If you want to chroot users, use this to set the directory where the root of

# the chroot jail will be located.

#

# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.

chrootpath = "/home"

```

Then ran ldd for files /usr/bin/rssh, /usr/bin/sftp, /usr/lib/misc/sftp-server, /usr/lib/misc/rssh_chroot_helper. Copied them accordingly to /home.

ldd /usr/bin/rssh:

```

        linux-gate.so.1 =>  (0xffffe000)

        libc.so.6 => /lib/libc.so.6 (0xb7e69000)

        /lib/ld-linux.so.2 (0xb7f83000)

```

ldd /usr/bin/sftp:

```

        linux-gate.so.1 =>  (0xffffe000)

        libresolv.so.2 => /lib/libresolv.so.2 (0xb7f0f000)

        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7e3c000)

        libutil.so.1 => /lib/libutil.so.1 (0xb7e38000)

        libz.so.1 => /lib/libz.so.1 (0xb7e28000)

        libnsl.so.1 => /lib/libnsl.so.1 (0xb7e13000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7de5000)

        libc.so.6 => /lib/libc.so.6 (0xb7cce000)

        libdl.so.2 => /lib/libdl.so.2 (0xb7cc9000)

        /lib/ld-linux.so.2 (0xb7f26000)

```

ldd /usr/lib/misc/rssh_chroot_helper:

```

        linux-gate.so.1 =>  (0xffffe000)

        libc.so.6 => /lib/libc.so.6 (0xb7e2d000)

        /lib/ld-linux.so.2 (0xb7f47000)

```

ldd /usr/lib/misc/sftp-server:

```

        linux-gate.so.1 =>  (0xffffe000)

        libresolv.so.2 => /lib/libresolv.so.2 (0xb7f36000)

        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7e63000)

        libutil.so.1 => /lib/libutil.so.1 (0xb7e5f000)

        libz.so.1 => /lib/libz.so.1 (0xb7e4f000)

        libnsl.so.1 => /lib/libnsl.so.1 (0xb7e3a000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e0c000)

        libc.so.6 => /lib/libc.so.6 (0xb7cf5000)

        libdl.so.2 => /lib/libdl.so.2 (0xb7cf0000)

        /lib/ld-linux.so.2 (0xb7f4d000)

```

Copied everything, but when I try to connect via WinSCP (SFTP) it connects and identifies but then disconnects and says "server returns exit 0, SFTP server works?".

I have full backup of previous system so even when I copy previous home/lib & home/usr directories it does not work either.

However, if I remove the chroot setting in rssh and try to connect everything works. What is wrong?

----------

## drseergio

If I connect locally I get "connection closed". However, If I remove chroot settings sftp works.

Maybe I miss something or there any new changes in packages during recent updates? What and how should I check? I am really amazed how this could not work after hours of trying and testing.

----------

## Ulukay

hoi

i got the same problem

2.2.3 worked with chroot

2.3.0 didn't

2.3.2 is working again

you should update  :Smile: 

----------

## kamikaze04

I'm having same problem whith 2.3.0. I will give a try to 2.3.2

----------

## kamikaze04

With new version there is no problem  :Smile:  Wheeeeeee!!!!

----------

## bigbob73

 *kamikaze04 wrote:*   

> With new version there is no problem  Wheeeeeee!!!!

 

running 2.3.2 here and still can't get it to chroot.  looks like the same setup as yours.  any other suggestions?

----------

## iloose2

Same problem here, any resolution yet?

----------

## bigbob73

 *iloose2 wrote:*   

> Same problem here, any resolution yet?

 

Still nothing.  If I set the jail in /etc/rssh, I can't logon.  There must be something I'm missing when setting up the jail.

----------

## bigbob73

bump.  has anyone resolved this yet?

----------

## neonknight

Take a look at this:

https://forums.gentoo.org/viewtopic-p-3129490.html#3129490

----------

## fikiz

I was able to solve my "connection closed" problems creating a file named dev/null inside the chroot jail

directory. I'm using rssh-2.3.0.

hope this helps!

Ciao

----------

## aVirulence

 *fikiz wrote:*   

> I was able to solve my "connection closed" problems creating a file named dev/null inside the chroot jail
> 
> directory. I'm using rssh-2.3.0.
> 
> hope this helps!
> ...

 

Doesn't work for me. Thanks though  :Wink: 

----------

## aVirulence

I kind of found out what I did wrong..   :Embarassed:   :Embarassed:   <--notice these faces.. 

chrootpath = "/home"  pointed to the wrong place on my hard disk..

----------

## ats2

Well, 

I'm not so lucky.

 I had the same problem as yours, guys.

I deleted the user account and the directory and recreated everything following the exact sftp/chroot tutorial on the wiki.

Then I updated to the last ~x86 version of rssh, created a key for the user... I also added a dev/null file, just in case.

And I still have the infamous 'Connection closed' message when chrootpath is enabled in rsshd.conf.

It's driving me crazy. I spent almost a full week trying and make the thing work !   :Sad: 

Here's the output (after giving the correct passphrase) with -vvvv

```

debug1: Authentication succeeded (publickey).

debug2: fd 4 setting O_NONBLOCK

debug3: fd 5 is O_NONBLOCK

debug1: channel 0: new [client-session]

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug1: Entering interactive session.

debug2: callback start

debug2: client_session2_setup: id 0

debug1: Sending subsystem: sftp

debug2: channel 0: request subsystem confirm 1

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel 0: rcvd adjust 131072

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug2: channel 0: rcvd eof

debug2: channel 0: output open -> drain

debug2: channel 0: obuf empty

debug2: channel 0: close_write

debug2: channel 0: output drain -> closed

debug2: channel 0: rcvd close

debug2: channel 0: close_read

debug2: channel 0: input open -> closed

debug3: channel 0: will not send data after close

debug2: channel 0: almost dead

debug2: channel 0: gc: notify user

debug2: channel 0: gc: user detached

debug2: channel 0: send close

debug2: channel 0: is dead

debug2: channel 0: garbage collecting

debug1: channel 0: free: client-session, nchannels 1

debug3: channel 0: status: The following connections are open:

  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

debug3: channel 0: close_fds r -1 w -1 e 6 c -1

debug1: fd 0 clearing O_NONBLOCK

debug3: fd 1 is not O_NONBLOCK

debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds

debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0

debug1: Exit status 1

Connection closed

```

If only those messages were saying something I can understand !

I'm gonna kill myself somewhere.   :Confused: 

----------

## foxteck

 *drseergio wrote:*   

> If I connect locally I get "connection closed". However, If I remove chroot settings sftp works.
> 
> Maybe I miss something or there any new changes in packages during recent updates? What and how should I check? I am really amazed how this could not work after hours of trying and testing.

 

Try:

mkdir /your/chroot/dir/dev

mknod -m 666 /your/chroot/dir/dev/null c 1 3

----------

## qcaze

 *foxteck wrote:*   

>  *drseergio wrote:*   If I connect locally I get "connection closed". However, If I remove chroot settings sftp works.
> 
> Maybe I miss something or there any new changes in packages during recent updates? What and how should I check? I am really amazed how this could not work after hours of trying and testing. 
> 
> Try:
> ...

 

Thanks - that worked for me  :Smile: 

----------

## hurra

Doesn't work here  :Crying or Very sad: 

----------

## 0n0w1c

You could try scponly for a chrooted sftp.

----------

## Big Jim Slade

If anyone is still looking for help on this issue, here's what fixed it for me:

I did need to create the dev/null node, otherwise sftp would not connect.  BUT, I also needed to copy over /lib/libnss_compat.so.2 to {CHROOT}/lib

```

# cp /lib/libnss_compat.so.2 {CHROOT_PATH}/lib

```

Without this file I kept getting those idiotic "Connection closed" errors and log entries about UID not being valid or some crap, which was false.

The file as it sits in /lib is a symlink to /lib/libnss_compat-2.4.so, but the file that needs to be in {CHROOT}/lib is libnss_compat.so.2.

Hope this helps somebody.

----------

