-
Notifications
You must be signed in to change notification settings - Fork 834
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibility to disable ChrootDirectory on sshd_config #393
Comments
I just got the same issue, thx @pedrofernandesfilho for the search and the link with the explanation. Just to share a little workaround: On my environment I used a mounting volume, creating a file for sshd_config without |
As an alternative to isaqueprofeta's method, you can also remove ChrootDirectory in Containerfile/Dockerfile:
This is potentially better than bind mount, because you're not "forking" the sshd_config, that could block you from getting new versions of the file. |
I have tested both solutions. But I am using docker-compose, so I put a script in sftpd directory: I will use the volume solution for now. But, I think that a environment variable to dicide if use or no ChrootDirecotory is very nice. :-) Thanks for the ideas! |
@pedrofernandesfilho, great thanks for pointing out the culprit ! I had written a helm chart for sftp. I added the sshd_config in a configMap and mounted it like this : ...
volumeMounts:
- mountPath: /etc/sftp/users.conf
name: conf
subPath: users.conf
- mountPath: /etc/ssh/sshd_config
name: conf
subPath: sshd_config
...
volumes:
- configMap:
items:
- key: users.conf
path: users.conf
- key: sshd_config
path: sshd_config
name: sftp-conf
name: conf
... Here is my configMap : apiVersion: v1
data:
sshd_config: |
# Secure defaults
# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Faster connection
# See: https://github.com/atmoz/sftp/issues/11
UseDNS no
# Limited access
PermitRootLogin no
X11Forwarding no
AllowTcpForwarding no
# Force sftp and chroot jail
Subsystem sftp internal-sftp
ForceCommand internal-sftp
#ChrootDirectory %h
# Enable this for more logs
#LogLevel VERBOSE
users.conf: |
myuser:mypasswd:myuid:mygid:folder1:folder2
kind: ConfigMap
name: sftp-conf |
Recently got an error that user login stopped working, although there is no such problem on similar hosts. I need chroot, so are there any options to continue using this image, but with chroot support, maybe some permissions are required on the host system? |
ChrootDirectory causes hangs after login in some cases.
This a post with more details: https://scvalex.net/posts/56/
In my case it takes five minutes to allow execute FTP commands.
A workaround that we found was remove
ChrootDirectory %h
from sshd_config file.It could be great if we could change an configuration to remove ChoorDirectory as all members of the team could use the image equally.
The text was updated successfully, but these errors were encountered: