Setup sftp user account and restric read/write access to one folder












1














I would like to create sftp user account on Ubuntu server which has read/write access only to one specific folder. I would like this user to have rights to transfer files up and from my server via sftp. My server is hosted on Digital Ocean.



I have followed this tutorial on Digital Ocean which seems to do exactly what I want but I got stuck at Step 4.



Step 4 says that you try this command:



ssh sammyfiles@localhost


And result should be:



Error message

This service allows sftp connections only.

Connection to localhost closed.


Instead my result is:



packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed


Next it instructs running this, which should obviously work:



sftp sammyfiles@localhost


The result should be:



SFTP prompt

Connected to localhost.

sftp>


but instead I get:



forge@BitCloud:~$ sftp misjah@localhost

misjah@localhost's password: 

packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe

Couldn't read packet: Connection reset by peer


I get the same message if I want to sftp with this newly created user from outside:



prmbair:~ primozrome$ sftp misjah@207.xxx.xxx.xxx

misjah@207.xxx.xxx.xxx's password: 

packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed

prmbair:~ primozrome$


What am I doing wrong?



Update from comments:
Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then:



packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. 

Couldn't read packet: Connection reset by peer.


Any idea?






users openssh sftp







share|improve this question
























  • @user68186 tried adding ClientAliveInterval 60 this but I get the same result
    – Primoz Rome
    Aug 30 '17 at 15:11












  • The only idea I have is make sure you enter the /home/[username]/uploads in the exact case as it appears in the system. In other words, make sure it is uploads and not Uploads. Best of luck.
    – user68186
    Aug 31 '17 at 16:15
















1














I would like to create sftp user account on Ubuntu server which has read/write access only to one specific folder. I would like this user to have rights to transfer files up and from my server via sftp. My server is hosted on Digital Ocean.



I have followed this tutorial on Digital Ocean which seems to do exactly what I want but I got stuck at Step 4.



Step 4 says that you try this command:



ssh sammyfiles@localhost


And result should be:



Error message

This service allows sftp connections only.

Connection to localhost closed.


Instead my result is:



packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed


Next it instructs running this, which should obviously work:



sftp sammyfiles@localhost


The result should be:



SFTP prompt

Connected to localhost.

sftp>


but instead I get:



forge@BitCloud:~$ sftp misjah@localhost

misjah@localhost's password: 

packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe

Couldn't read packet: Connection reset by peer


I get the same message if I want to sftp with this newly created user from outside:



prmbair:~ primozrome$ sftp misjah@207.xxx.xxx.xxx

misjah@207.xxx.xxx.xxx's password: 

packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed

prmbair:~ primozrome$


What am I doing wrong?



Update from comments:
Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then:



packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. 

Couldn't read packet: Connection reset by peer.


Any idea?






users openssh sftp







share|improve this question
























  • @user68186 tried adding ClientAliveInterval 60 this but I get the same result
    – Primoz Rome
    Aug 30 '17 at 15:11












  • The only idea I have is make sure you enter the /home/[username]/uploads in the exact case as it appears in the system. In other words, make sure it is uploads and not Uploads. Best of luck.
    – user68186
    Aug 31 '17 at 16:15














1












1








1







I would like to create sftp user account on Ubuntu server which has read/write access only to one specific folder. I would like this user to have rights to transfer files up and from my server via sftp. My server is hosted on Digital Ocean.



I have followed this tutorial on Digital Ocean which seems to do exactly what I want but I got stuck at Step 4.



Step 4 says that you try this command:



ssh sammyfiles@localhost


And result should be:



Error message

This service allows sftp connections only.

Connection to localhost closed.


Instead my result is:



packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed


Next it instructs running this, which should obviously work:



sftp sammyfiles@localhost


The result should be:



SFTP prompt

Connected to localhost.

sftp>


but instead I get:



forge@BitCloud:~$ sftp misjah@localhost

misjah@localhost's password: 

packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe

Couldn't read packet: Connection reset by peer


I get the same message if I want to sftp with this newly created user from outside:



prmbair:~ primozrome$ sftp misjah@207.xxx.xxx.xxx

misjah@207.xxx.xxx.xxx's password: 

packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed

prmbair:~ primozrome$


What am I doing wrong?



Update from comments:
Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then:



packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. 

Couldn't read packet: Connection reset by peer.


Any idea?






users openssh sftp







share|improve this question















I would like to create sftp user account on Ubuntu server which has read/write access only to one specific folder. I would like this user to have rights to transfer files up and from my server via sftp. My server is hosted on Digital Ocean.



I have followed this tutorial on Digital Ocean which seems to do exactly what I want but I got stuck at Step 4.



Step 4 says that you try this command:



ssh sammyfiles@localhost


And result should be:



Error message

This service allows sftp connections only.

Connection to localhost closed.


Instead my result is:



packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed


Next it instructs running this, which should obviously work:



sftp sammyfiles@localhost


The result should be:



SFTP prompt

Connected to localhost.

sftp>


but instead I get:



forge@BitCloud:~$ sftp misjah@localhost

misjah@localhost's password: 

packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe

Couldn't read packet: Connection reset by peer


I get the same message if I want to sftp with this newly created user from outside:



prmbair:~ primozrome$ sftp misjah@207.xxx.xxx.xxx

misjah@207.xxx.xxx.xxx's password: 

packet_write_wait: Connection to 207.154.238.143 port 22: Broken pipe

Connection closed

prmbair:~ primozrome$


What am I doing wrong?



Update from comments:
Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then:



packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. 

Couldn't read packet: Connection reset by peer.


Any idea?






users openssh sftp




users openssh sftp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 31 '17 at 16:13









user68186

15.3k84665




15.3k84665










asked Aug 29 '17 at 15:13









Primoz Rome

10614




10614












  • @user68186 tried adding ClientAliveInterval 60 this but I get the same result
    – Primoz Rome
    Aug 30 '17 at 15:11












  • The only idea I have is make sure you enter the /home/[username]/uploads in the exact case as it appears in the system. In other words, make sure it is uploads and not Uploads. Best of luck.
    – user68186
    Aug 31 '17 at 16:15


















  • @user68186 tried adding ClientAliveInterval 60 this but I get the same result
    – Primoz Rome
    Aug 30 '17 at 15:11












  • The only idea I have is make sure you enter the /home/[username]/uploads in the exact case as it appears in the system. In other words, make sure it is uploads and not Uploads. Best of luck.
    – user68186
    Aug 31 '17 at 16:15
















@user68186 tried adding ClientAliveInterval 60 this but I get the same result
– Primoz Rome
Aug 30 '17 at 15:11






@user68186 tried adding ClientAliveInterval 60 this but I get the same result
– Primoz Rome
Aug 30 '17 at 15:11














The only idea I have is make sure you enter the /home/[username]/uploads in the exact case as it appears in the system. In other words, make sure it is uploads and not Uploads. Best of luck.
– user68186
Aug 31 '17 at 16:15




The only idea I have is make sure you enter the /home/[username]/uploads in the exact case as it appears in the system. In other words, make sure it is uploads and not Uploads. Best of luck.
– user68186
Aug 31 '17 at 16:15










2 Answers
2






active

oldest

votes


















0














I think there is a mistaken about the rights...



Could you show us the return of the command ls -l in your directory /var/sftp please ?



I think /var/sftp have 755 rights but not /var/sftp/uploads because the chmod command isn't recursive if we don't tell it, so you would have to type :
sudo chmod 755 -R /var/sftp (the -R parameter for recursive).
With -R, all subdirectories in /var/sftp will have 755 rights.



Could you try it please ?



Good luck !






share|improve this answer





















  • Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. Couldn't read packet: Connection reset by peer. Any idea?
    – Primoz Rome
    Aug 30 '17 at 13:33





















0














From https://man.openbsd.org/sshd_config




ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.




I had the same problem and the solution was to avoid using a directory in a user's home, as the /home/user directory should not be owned by root, but to create instead a directory in e.g. /var/sftp/uploads, where /var/sftp/ is root owned and /var/sftp/uploads is owned by the sftp user.
Then I can chroot the sftp user in uploads.



ChrootDirectory /var/sftp


in /etc/ssh/sshd_config






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f950979%2fsetup-sftp-user-account-and-restric-read-write-access-to-one-folder%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I think there is a mistaken about the rights...



    Could you show us the return of the command ls -l in your directory /var/sftp please ?



    I think /var/sftp have 755 rights but not /var/sftp/uploads because the chmod command isn't recursive if we don't tell it, so you would have to type :
    sudo chmod 755 -R /var/sftp (the -R parameter for recursive).
    With -R, all subdirectories in /var/sftp will have 755 rights.



    Could you try it please ?



    Good luck !






    share|improve this answer





















    • Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. Couldn't read packet: Connection reset by peer. Any idea?
      – Primoz Rome
      Aug 30 '17 at 13:33


















    0














    I think there is a mistaken about the rights...



    Could you show us the return of the command ls -l in your directory /var/sftp please ?



    I think /var/sftp have 755 rights but not /var/sftp/uploads because the chmod command isn't recursive if we don't tell it, so you would have to type :
    sudo chmod 755 -R /var/sftp (the -R parameter for recursive).
    With -R, all subdirectories in /var/sftp will have 755 rights.



    Could you try it please ?



    Good luck !






    share|improve this answer





















    • Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. Couldn't read packet: Connection reset by peer. Any idea?
      – Primoz Rome
      Aug 30 '17 at 13:33
















    0












    0








    0






    I think there is a mistaken about the rights...



    Could you show us the return of the command ls -l in your directory /var/sftp please ?



    I think /var/sftp have 755 rights but not /var/sftp/uploads because the chmod command isn't recursive if we don't tell it, so you would have to type :
    sudo chmod 755 -R /var/sftp (the -R parameter for recursive).
    With -R, all subdirectories in /var/sftp will have 755 rights.



    Could you try it please ?



    Good luck !






    share|improve this answer












    I think there is a mistaken about the rights...



    Could you show us the return of the command ls -l in your directory /var/sftp please ?



    I think /var/sftp have 755 rights but not /var/sftp/uploads because the chmod command isn't recursive if we don't tell it, so you would have to type :
    sudo chmod 755 -R /var/sftp (the -R parameter for recursive).
    With -R, all subdirectories in /var/sftp will have 755 rights.



    Could you try it please ?



    Good luck !







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Aug 29 '17 at 18:23









    TheVincent

    1




    1












    • Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. Couldn't read packet: Connection reset by peer. Any idea?
      – Primoz Rome
      Aug 30 '17 at 13:33




















    • Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. Couldn't read packet: Connection reset by peer. Any idea?
      – Primoz Rome
      Aug 30 '17 at 13:33


















    Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. Couldn't read packet: Connection reset by peer. Any idea?
    – Primoz Rome
    Aug 30 '17 at 13:33






    Seems like problem is in the sshd_config - ChrootDirectory line. If I use ChrootDirectory %h then sftp to users home directory works, but if I use ChrootDirectory /home/user/uploads (to restrict only to one folder) then packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe. Couldn't read packet: Connection reset by peer. Any idea?
    – Primoz Rome
    Aug 30 '17 at 13:33















    0














    From https://man.openbsd.org/sshd_config




    ChrootDirectory
    Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.




    I had the same problem and the solution was to avoid using a directory in a user's home, as the /home/user directory should not be owned by root, but to create instead a directory in e.g. /var/sftp/uploads, where /var/sftp/ is root owned and /var/sftp/uploads is owned by the sftp user.
    Then I can chroot the sftp user in uploads.



    ChrootDirectory /var/sftp


    in /etc/ssh/sshd_config






    share|improve this answer


























      0














      From https://man.openbsd.org/sshd_config




      ChrootDirectory
      Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.




      I had the same problem and the solution was to avoid using a directory in a user's home, as the /home/user directory should not be owned by root, but to create instead a directory in e.g. /var/sftp/uploads, where /var/sftp/ is root owned and /var/sftp/uploads is owned by the sftp user.
      Then I can chroot the sftp user in uploads.



      ChrootDirectory /var/sftp


      in /etc/ssh/sshd_config






      share|improve this answer
























        0












        0








        0






        From https://man.openbsd.org/sshd_config




        ChrootDirectory
        Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.




        I had the same problem and the solution was to avoid using a directory in a user's home, as the /home/user directory should not be owned by root, but to create instead a directory in e.g. /var/sftp/uploads, where /var/sftp/ is root owned and /var/sftp/uploads is owned by the sftp user.
        Then I can chroot the sftp user in uploads.



        ChrootDirectory /var/sftp


        in /etc/ssh/sshd_config






        share|improve this answer












        From https://man.openbsd.org/sshd_config




        ChrootDirectory
        Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.




        I had the same problem and the solution was to avoid using a directory in a user's home, as the /home/user directory should not be owned by root, but to create instead a directory in e.g. /var/sftp/uploads, where /var/sftp/ is root owned and /var/sftp/uploads is owned by the sftp user.
        Then I can chroot the sftp user in uploads.



        ChrootDirectory /var/sftp


        in /etc/ssh/sshd_config







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 4 '18 at 10:16









        Wail

        12




        12






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f950979%2fsetup-sftp-user-account-and-restric-read-write-access-to-one-folder%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Biblatex bibliography style without URLs when DOI exists (in Overleaf with Zotero bibliography)

            Image
            2 2 I have a Zotero bibliography in Overleaf. I use biblatex . usepackage[backend=biber,citestyle=authoryear]{biblatex} addbibresource{zoteroALH.bib} Bibliography entries look like: @book{de_saint-gervais_uniformization_2016, title = {Uniformization of {Riemann} {Surfaces}}, isbn = {978-3-03719-145-3}, url = {https://www.ems-ph.org/books/book.php?proj_nr=198&srch=series%7Chem}, urldate = {2019-02-03}, author = {de Saint-Gervais, Paul Henri}, year = {2016}, doi = {10.4171/145} } In the bibliography down the paper the reference shows like this: There is the DOI, great, but also the URL which is unnecessary when the DOI is there. How can I remove the URL when the DOI is present? biblatex bibliographies overleaf zote
            Read more

            ComboBox Display Member on multiple fields

            Image
            2 I'm trying to set the .DisplayMember property of a ComboBox in C#, but I want to bind it to multiple columns in the .DataSouce . My SQL looks like this: SELECT PersNbr, PersFirstName, PersMiddleName, PersLastName FROM Pers WHERE PersNbr = :persNbr; I'm saving this query in a DataTable so each column selected has it's own column in the Datatable . I want to make the .DisplayMember a combination of PersFirstName + PersMiddleName + PersLastName so their full name appears like this: comboBox.DisplayMemeber = "PersFirstName" + "PersMiddleName" + "PersLastName" I know I can just to this on the query: SELECT PersNbr, (PersFirstName || PersMiddleName || PersLastName) PersName and then just do this: comboBox.DisplayMember = "PersName"; but I
            Read more

            Is it possible to collect Nectar points via Trainline?

            Image
            2 Since I am not eligible for any Railcard, the only available discount/bonus scheme is Nectar Card for me. GWR, SWR, LNER and Virgin Trains allow to collect Nectar points and I have already linked a card to my GWR account. A friend suggested me to use Trainline App, because it can search for bus tickets either. I had a look at the application, but could not see any option for Nectar. Is there a way to collect Nectar points when I buy tickets via Trainline? uk trains loyalty-programs trainline share | improve this question asked Dec 2 '18 at 15:50 ahmedus 3,224 5 19 49
            Read more