openssh bugs - Jun 2022 - [Bug 3446] New: ChrootDirectory - Broken Pipe

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

            Bug ID: 3446
           Summary: ChrootDirectory - Broken Pipe
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sftp
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dev.dorrejo at gmail.com

Created attachment 3597
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3597&action=edit
sftp -vvv

Hello, i am trying to setup an only sftp user, doing the next steps

$ useradd rose
$ passwd

$ chsh -s /dev/false or /dev/nologin


In the file sshd_config in /etc/ssh:

comment: #Subsystem      sftp    /usr/libexec/ssh/sftp-server

add the following line

Subsystem stfp internal-sftp

Match User rose
    X11Forwarding no
    AllowTcpForwarding no
    #AllowAgentForwarding no
    PermitTTY no
    PasswordAuthentication yes
    #ChrootDirectory /var/www/webdata
    #PermitTunnel no
    ForceCommand internal-sftp

restart the service after edit.

Now with this when i do:

$ sftp rose at localhost

i will get

$ sftp rose at localhost
(rose at localhost) Password: 
subsystem request failed on channel 0
Connection closed

when i uncomment ChrootDirectory, i will get the next output

$ sftp rose at localhost
(rose at localhost) Password: 
client_loop: send disconnect: Broken pipe
Connection closed


Dir permission
$ tree -pu /var/www/
[drwxr-xr-x rose    ]  /var/www/
??? [drwxr-xr-x rose    ]  webdata

have Saturday and today (Sunday) fighting with this issue, and only
left is create this bugreport looking for help.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to dev.dorrejo from comment #0)
[...]
> when i uncomment ChrootDirectory, i will get the next output
> 
> $ sftp rose at localhost
> (rose at localhost) Password: 
> client_loop: send disconnect: Broken pipe
> Connection closed
> 
> 
> Dir permission
> $ tree -pu /var/www/
> [drwxr-xr-x rose    ]  /var/www/
> ??? [drwxr-xr-x rose    ]  webdata
All components of the ChrootDir path need to be owned by root and mode
755 or stricter.  Quoting sshd_config(5):

   At session startup sshd(8) checks that all components of the
pathname
   are root-owned directories which are not writable by any other user
   or group

If that's not it, please run sshd in debug mode (/path/to/sshd -ddde -p
2222, then add -P 222 to your sftp command) and and attach the output
to this bug.  Also, what's the "Other" hardware platform and what
distro is this?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

--- Comment #2 from dev.dorrejo at gmail.com ---
Created attachment 3598
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3598&action=edit
logs of sshd

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

--- Comment #3 from dev.dorrejo at gmail.com ---
Settings:

Subsystem stfp internal-sftp
LogLevel DEBUG3

Match User rose
    #PasswordAuthentication yes
    ChrootDirectory /var/www/webdata
    #PermitTunnel no
    #AllowAgentForwarding no
    #AllowTcpForwarding no
    #X11Forwarding no
    ForceCommand internal-sftp


Folder:

tree -up /var/www
[drwxr-xr-x root    ]  /var/www
??? [drwxr-xr-x root    ]  webdata

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

--- Comment #4 from dev.dorrejo at gmail.com ---
Settings:

Subsystem stfp internal-sftp
LogLevel DEBUG3

Match User rose
    #PasswordAuthentication yes
    ChrootDirectory /var/www/webdata
    #PermitTunnel no
    #AllowAgentForwarding no
    #AllowTcpForwarding no
    #X11Forwarding no
    ForceCommand internal-sftp


Folder:

tree -up /var/www
[drwxr-xr-x root    ]  /var/www
??? [drwxr-xr-x root    ]  webdata

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
Here's the problem:
> debug2: subsystem request for sftp by user rose
> subsystem request for sftp by user rose failed, subsystem not found
because it looks like you typoed "sftp" in your config:
> Subsystem stfp internal-sftp
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

--- Comment #6 from dev.dorrejo at gmail.com ---
Thanks for the assistance, that miss spelled word make the world
impossible for me, but sadly sshd never fail to this.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #7 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to dev.dorrejo from comment #6)
> Thanks for the assistance,
You're welcome.
> that miss spelled word make the world
> impossible for me, but sadly sshd never fail to this.
Unfortunately subsystems can have arbitrary names so your configuration
was perfectly valid, just not what you intended.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Closing bugs from openssh-9.1 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3446

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.