OpenSSH_5.5p1, OpenSSL 0.9.8g 19 Oct 2007 -- ChrootDirectory %h not working.



Hello, I am trying to accomplish the following:

1.) Use OpenSSH as a SFTP server.
Subsystem sftp internal-sftp

2.) Use the SFTP server for users other than my main account.
Match User '*,!lfitz'

3.) Chroot the other users into their home directory.
ChrootDirectory %h

4.) Force the command internal-sftp.
ForceCommand internal-sftp

So the config looks as follows: (hopefully this appears correctly for
readers of the message)

# Beginning of File /etc/ssh/sshd_config
# Global config values
...
# End of Global config values
Subsystem sftp internal-sftp
Match User '*,!lfitz'
ChrootDirectory %h
ForceCommand internal-sftp
Match User lfitz
ForceCommand /bin/bash
# EOF

Basically, the SFTP server works, however it does not chroot the home
directory. Users can view parent folders (/home) and see the the other
users on the system (/home/other_user). And even view all contents of
the root directory (/). I don't know why the directive ChrootDirectory
%h is not working. I have tried chmod'ing the directories to different
values: 700, 755, 777, starting with /home and then (iirc) 750 each user
directory. This allows the client (FileZilla or AndFTP for Android) to
start in the ChrootDirectory however it does not set it to /. I'm lost,
I've tried a number of different chmod values, set Subsystem to the
direct path, set Match User to a specific user with no negation or
wildcards, and even tried ChrootDirectory /home/specified_user.

I'm on Debian 5 (lenny) with OpenSSH 5.5p1, OpenSSL 0.9.8g

Any ideas or workarounds I could use to fix this?

I have read the manpage and the followed the guide here:
http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current



Relevant Pages

  • Does ChrootDirectory disable port forwarding?
    ... Port forwarding on specific ports to allow vnc to be used under uids ... If ChrootDirectory is set for a given end user, ... Match user groucho ...
    (SSH)
  • ChrootDirectory help
    ... I am trying my hand at building a SFTP server ... Because the FTP server was chrooted the ... Match User test ... ChrootDirectory %h ...
    (SSH)
  • sftp + chrooting users
    ... I am about chrooting ftp users into theirs home ... Subsystem sftp internal-sftp ... Match group ftp ... ChrootDirectory /home ...
    (freebsd-questions)