Error: Bad ownership or modes · SFTP Gateway Support

Overview

You receive the following error:

Nov 11 13:06:31 rob-vm sshd[1259112]: fatal: bad ownership or modes for chroot directory component "/home/robtest/home/robtest/" [postauth]

This is caused by permissions set on the chroot directory.

The fix is to remove the SFTP user's write access to the chroot directory.

Why the error is happening

SFTP Gateway uses the default OpenSSH implementation found in Linux. OpenSSH does not allow SFTP users to have write access to their chroot directory, for security reasons.

As a result, an SFTP connection's authorization will fail, even if the authentication succeeded.

SFTP users may request write access to the root of their chroot directory. It may be tempting to grant them write access:

chmod u+w /home/robtest/home/robtest

Unfortunately, this will result in the SFTP user no longer being able to log in.

Fixes and workarounds

In order to let the SFTP user log in again, you will need to remove their ability to write to the chroot directory:

chmod 755 /home/robtest/home/robtest

You won't be able to grant write access through some other means, such as setfacl (I tried this already).

One approach that seems to work for customers is to set the default directory. This will make the SFTP user automatically perform a cd uploads/ when connecting. From their perspective (which is the uploads/ directory), they can create files and subfolders.