SFTP suddenly failing for chroot accounts on Amazon Linux
Edit: This should be fixed in openssh-6.6.1p1-32.el7 per https://bugzilla.redhat.com/show_bug.cgi?id=1398569
It appears after the OpenSSH-6.6.1p1-31 update, only the user's primary group is checked for authentication during the SFTP connection attempt. With root and the user's primary group owning the home directory and at least 710 permissions, connection attempts should succeed.
Repro steps:
$ groups sftpuser sftpuser : sftpgroup sftpuser $ ls -ld /home/sftpuser/ drwx--x--- 2 root sftpuser 4096 Nov 22 18:31 sftpuser/ $ sftp sftpuser@localhost sftpuser@localhost's password: Write failed: Broken pipe Couldn't read packet: Connection reset by peer $ chgrp sftpgroup sftpuser/ $ ls -ld /home/sftpuser/ drwx--x--- 2 root sftpgroup 4096 Nov 22 18:31 sftpuser/ $ sftp sftpuser@localhost sftpuser@localhost's password: Connected to localhost. sftp> exit
Failed connection with secondary group owning home directory (from /var/log/secure):
sshd[31640]: Accepted password for sftpuser from 127.0.0.1 port 34380 ssh2 sshd[31640]: pam_unix(sshd:session): session opened for user sftpuser by (uid=0) sshd[31640]: fatal: Unable to chdir to chroot path "/home/sftpuser": Permission denied [postauth] sshd[31640]: pam_unix(sshd:session): session closed for user sftpuserSuccessful connection with primary group owning home directory (from /var/log/secure):
sshd[31647]: Accepted password for sftpuser from 127.0.0.1 port 34382 ssh2 sshd[31647]: pam_unix(sshd:session): session opened for user sftpuser by (uid=0) sshd[31647]: session opened for local user sftpuser from [127.0.0.1] [postauth] sshd[31647]: session closed for local user sftpuser from [127.0.0.1] [postauth] sshd[31647]: Received disconnect from 127.0.0.1: 11: disconnected by user [postauth] sshd[31647]: pam_unix(sshd:session): session closed for user sftpuser