How to restrict the SFTP user to home directory in QNX 6.5.0?

QNX USERS QNX6 - OS
1

I’m trying to restrict the SFTP user to that home directory adding the below commands to the existing sshd_config file in QNX 6.5.0. But unable to restrict the user (e.g. user1) to his home directory and able to navigate to the root folder(/) in the QNX 6.5.0 system.

sshd_config:

PermitRootLogin yes
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp

Match User user1
ChrootDirectory /home/user1
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

If i change “PermitRootLogin yes” to “PermitRootLogin no” then, unable to do SFTP login to the system.

Can you please help me resolve this issue? How does the chroot directory work on QNX 6.5.0?

2

Have you tried doing this? You have most of what’s listed in the link but there are some steps you appear not to have done (unless you didn’t show that you did those)

Tim

3

Hi Tim,

Thanks for your support.

Created a user and group with proper permission and tried the same steps as per the above website.
But faced the same issue.

added below user to /etc/passwd via qnx boot file.

{
user1:x:45:60:SFTP user:/home/chroot/user1:/bin/sh
}

Added group for the user1

/etc/group={
user1:x:60:user1
}

user and permission:

mkdir -p /home/chroot
chmod 700 /home/chroot

chown root:root /home/chroot

mkdir -p /home/chroot/user1
chmod 700 /home/chroot/user1

chown user1:user1 /home/chroot/user1

added below steps to sshd_config file:

PermitRootLogin yes

#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp

Match Group user1
ChrootDirectory /home/chroot/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Is there any way to chroot the user home directory in QNX 6.5.0?

4

Looking again, I found this QNX article on setting up a chroot environment for ftp that covers QNX 6.5. Presumably you can do the same for sftp. It’s slightly different that the first link in that it appears you need all the binaries and libraries for the commands you want the user to be able to run to be located in the jailed environment.

https://www.qnx.com/support/knowledgebase.html?id=50130000000n18v

Tim