Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possibility to disable ChrootDirectory on sshd_config #393

Open
pedrofernandesfilho opened this issue Oct 26, 2023 · 5 comments
Open

Possibility to disable ChrootDirectory on sshd_config #393

pedrofernandesfilho opened this issue Oct 26, 2023 · 5 comments

Comments

@pedrofernandesfilho
Copy link

pedrofernandesfilho commented Oct 26, 2023

ChrootDirectory causes hangs after login in some cases.
This a post with more details: https://scvalex.net/posts/56/

In my case it takes five minutes to allow execute FTP commands.

A workaround that we found was remove ChrootDirectory %h from sshd_config file.

It could be great if we could change an configuration to remove ChoorDirectory as all members of the team could use the image equally.

@isaqueprofeta
Copy link

I just got the same issue, thx @pedrofernandesfilho for the search and the link with the explanation.

Just to share a little workaround: On my environment I used a mounting volume, creating a file for sshd_config without ChrrotDirectory %h and mounting it to /etc/ssh/sshd_config.

@ver4a
Copy link

ver4a commented Jan 16, 2024

As an alternative to isaqueprofeta's method, you can also remove ChrootDirectory in Containerfile/Dockerfile:

RUN sed -i -e 's/ChrootDirectory.*//g' /etc/ssh/sshd_config

This is potentially better than bind mount, because you're not "forking" the sshd_config, that could block you from getting new versions of the file.

@pedrofernandesfilho
Copy link
Author

pedrofernandesfilho commented Jan 16, 2024

I have tested both solutions.

But I am using docker-compose, so I put a script in sftpd directory:
https://github.com/atmoz/sftp#execute-custom-scripts-or-applications
Then I had problem with file execute permissions inside the container.

I will use the volume solution for now.

But, I think that a environment variable to dicide if use or no ChrootDirecotory is very nice. :-)

Thanks for the ideas!

@LeoShivas
Copy link

@pedrofernandesfilho, great thanks for pointing out the culprit !

I had written a helm chart for sftp. I added the sshd_config in a configMap and mounted it like this :

...
    volumeMounts:
    - mountPath: /etc/sftp/users.conf
      name: conf
      subPath: users.conf
    - mountPath: /etc/ssh/sshd_config
      name: conf
      subPath: sshd_config
...
  volumes:
  - configMap:
      items:
      - key: users.conf
        path: users.conf
      - key: sshd_config
        path: sshd_config
      name: sftp-conf
    name: conf
...

Here is my configMap :

apiVersion: v1
data:
  sshd_config: |
    # Secure defaults
    # See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
    Protocol 2
    HostKey /etc/ssh/ssh_host_ed25519_key
    HostKey /etc/ssh/ssh_host_rsa_key

    # Faster connection
    # See: https://github.com/atmoz/sftp/issues/11
    UseDNS no

    # Limited access
    PermitRootLogin no
    X11Forwarding no
    AllowTcpForwarding no

    # Force sftp and chroot jail
    Subsystem sftp internal-sftp
    ForceCommand internal-sftp
    #ChrootDirectory %h

    # Enable this for more logs
    #LogLevel VERBOSE
  users.conf: |
    myuser:mypasswd:myuid:mygid:folder1:folder2
kind: ConfigMap
  name: sftp-conf

@spbdimka
Copy link

Recently got an error that user login stopped working, although there is no such problem on similar hosts. I need chroot, so are there any options to continue using this image, but with chroot support, maybe some permissions are required on the host system?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants