# ssh chroot issue



## Sylhouette (Apr 15, 2015)

Hello all.

I have little luck in setting up a restricted ssh server for ssh tunnels on FreeBSD 10
On my FreeBSD 8 server it all works well and on my FreeBSD 10 server I did use the same steps.
I use the following setup.

I create a group allowtunnel, then I add users to this group.
In my /etc/ssh/sshd_config file I add the following.

```
Match Group allowtunnel
  AllowTcpForwarding yes
  AllowAgentForwarding yes
  X11Forwarding yes
  ChrootDirectory /usr/home/restricted/%u
```
I create the directory restricted `mkdir /usr/home/restricted` then I do a `chown root:wheel /usr/home/restricted`
I also set the proper permissions.
`chmod 755 /usr/home/restricted` (if I change this I can not login at all)
I create a user and with vipw(8) it shows as follows.

```
testuser:PASS-EDITED:1005:1006::0:0:User &:/usr/home/restricted/testuser:/bin/sh
```
I make sure that root owns the home folder.
`chown root /usr/home/restricted/testuser`
I create a /bin folder in the newly created home folder.
`mkdir /usr/home/restricted/testuser/bin`
then copy /rescue/sh to the bin dir
`cp /resque/sh /usr/home/restricted/testuser/bin`
I then do a `cmod -R 755 /usr/home/restricted/testuser` to be sure folder permissions are OK.

This works great under FreeBSD 8

If I try this on my FreeBSD 10 machine it does work partially.
If I login on my FreeBSD 10 machine I see the following

```
login as: testuser
Using keyboard-interactive authentication.
Password for testuser@backup01.mydomain.lan:
Last login: Wed Apr 15 20:29:06 2015 from myprovider.nl
Could not chdir to home directory /usr/home/restricted/testuser: No such file or directory
Cannot read termcap database;
using dumb terminal settings.
$
```
So I do get the shell and the user is restricted. But I can not get rid off the error!
The error that is not on my FreeBSD 8 machine
Is there something I miss?

Regards.


----------



## pboehmer (Apr 16, 2015)

Shouldn't /usr/home/restricted/testuser be owned by user testuser?


----------



## Sylhouette (Apr 16, 2015)

No if you use a chrooted setup, the owner must be root.
If I change it to testuser then sshd errors out with the following error.

```
Apr 15 17:03:57 backup01 sshd[47602]: fatal: bad ownership or modes for chroot directory "/usr/home/restricted/testuser"
```
And I will not get a shell.

regards


----------

