Skip navigation

SSH security issue?

865 Views 3 Replies Latest reply: Feb 26, 2012 1:38 AM by fearless RSS
fearless Level 6 Level 6 (9,520 points)
Currently Being Moderated
Feb 24, 2012 3:29 AM

I'm currently trying to set up a chrooted jail for SFTP as outlined in the helpful MacResearch article and I've stumbled upon an issue.


We have a long list of external clients able to access their FTP home folders, by logging in using Open Directory accounts. In every case FTP access is set to "Home Folder Only", and anonymous FTP is not enabled. For FTP access this works as expected.


But with ssh it's different. When attempting to ssh as one of our regular external users (on the local network, not from outside), the connection requests a password, then reports an error, saying that they're unable to connect to the specified home folder, with its file path listed. This file path is correct - however, despite the error message, it ALLOWS THE CONNECTION, giving the user unfettered access to the root level of the server, and user home folders, though no deeper. This seems extraordinary.


The user is a member only of a group called External, with no particular access to anything. I've repaired permissions on the server, and further restricted things by only allowing root write access to the home folder path as you need to when doing a chroot setup.


Is this normal? Or have I got something completely messed up here?



Final Cut Studio '09, Mac OS X (10.6.7), Tangent panels, Avid Nitris DX
  • Esther Mofet Level 1 Level 1 (130 points)
    Currently Being Moderated
    Feb 24, 2012 9:33 AM (in response to fearless)

    Pretty abnormal behavior.


    What do you have in your /etc/sshd_config file?


    At a minimum, you would need definitions to capture the SFTP subprotocol (Subsystem), to match your jailed group, and to define their unique user jail directory.


    I use this:

    Subsystem sftp /usr/libexec/sftp-server
    Match Group jailedsftp
         X11Forwarding no
         ChrootDirectory /var/sftp/%u
         AllowTcpForwarding no


    Hope this helps a bit.


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.