chrooted sftp :: fatal: bad ownership or modes for chroot directory component

If you have setup sftp in chrooted mode and you are unable to log into the server

$ sftp [email protected]

[email protected]’s password:
Connection to closed by remote host.
Couldn’t read packet: Connection reset by peer

have a look at the /var/log/secure log and if you find the below error

 sshd[19490]: fatal: bad ownership or modes for chroot directory component “/var/www/vhosts/”

Fix is as below

# chmod 755 /var/www/vhosts/

# chown root:root /var/www/vhosts/

Ensure that the entire path from / to /var/www/vhosts/ have ownership of root user and is not writable by group or any other user. This is certainly one of the limitations of chrooted sftp.


Configuring chroot(ed) sftp

OpenSSH versions since 4.8 supports chroot(ed) sftp.  This has been made possible by a new SFTP subsystem statically linked to sshd. There is no need to add any patches, but just needs few tweaks to the ssh configuration (/etc/ssh/sshd_config). This one step further to removing unsecure ftp service from the server.

Steps to Configure chrooted sftp

Open the sshd config file

# vi /etc/ssh/sshd_config 

find and comment the line

Subsystem sftp /usr/libexec/openssh/sftp-server

then add the below after the commented above line

Subsystem sftp internal-sftp

With this change, sftp can be chrooted. Now let us update the config with rules, according to which chrooting will happen.

Let us create a group to start with

#  groupadd sftpuser

Towards end of the config file /etc/ssh/sshd_config update the below configuration values

Match Group sftpuser
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

%h – means the home directory of the authenticated user and the authenticated user should below to the group sftpuser for the chrooting to happen. You may also use %u as in /var/www/vhosts/, where %u means username of the user.

The directory which is to be chrooted must be owned by root user with a permission of 700 or 755.

Checking the availability of SMTPS, POPS and IMAPS.

Open a linux shell execute the respective command; replace the hostname with the server IP/Hostname for which you want to check the avialability of secured mail ports.

POPS – port number 995

# openssl s_client -connect hostname:995

SMTPS – port number 465

# openssl s_client -connect hostname:465

IMAPS – port number 993

# openssl s_client -connect hostname:993