Page 2 of 11 FirstFirst 1234 ... LastLast
Results 11 to 20 of 109

Thread: Howto create chrooted Openssh SFTP without shell access through rssh.

  1. #11
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    When you can, post rssh related log entries. They should be in syslog.

    Also try setting sftp into verbose mode with the -v option; eg.:
    Code:
    sftp -v -v sft@localhost
    Meanwhile, I'll run over my howto to see if there are any pitfalls you might have hit.

    (Sorry, I'm replying before Monday. Hope you don't mind)
    -Jimmy

  2. #12
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Possible sources of the problem:
    Does "/home/chroot/lib/ld-linux.so.2" exist? If not,
    Code:
    cd /home/chroot
    sudo cp /lib/ld-linux.so.2 lib/
    Just to play it safe, make sure you have "libnss_compact.so.2" in the directory "/home/chroot/lib". If not, put it there with the following command:
    Code:
    sudo cp /lib/libnss_compact.so.2 /home/chroot/lib/
    Did you add the lines to "/etc/init.d/sysklogd" (if so, there should be messages from rssh in syslog; post them.

    Also make sure you did this step:
    Now you have to fix your chroot directory setup (you need to be able to run "/usr/lib/sftp-server" even when chrooted). To do this, create a hard link between for "/home/chroot/usr/lib/openssh/sftp-server" at "/home/chroot/usr/lib/" using the following command:
    Code:
    sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/
    Final note: make sure you remembered to tell sysklogd and sshd to reload after you changed the configs.

    If all else fails, see if you can sftp with a normal (not rsshed) account (maybe it is the sftp-server)

    If you don't have any private files in the /home/chroot, post the results for:
    Code:
    ls -lR /home/chroot/
    so I can see if you are missing any necessary files in your chrooted directory.

    Hope this helps (if it does, please tell me which one helped).

    ---
    Note: the parts in red are added (not originally there). Thanks to juicybananahead for discovering the error. For more information, see following two posts.
    Last edited by jchau; April 18th, 2006 at 12:17 AM.
    -Jimmy

  3. #13
    Join Date
    Nov 2005
    Location
    London
    Beans
    66

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Hi Jimmy,

    Got it working! For your own peace of mind , here's the information you were looking for:

    First, the verbose output of an sftp attempt.
    Code:
    user@ubuntubox:~$ sftp -v -v sft@localhost
    Connecting to localhost...
    OpenSSH_4.1p1 Debian-7ubuntu4.1, OpenSSL 0.9.7g 11 Apr 2005
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to localhost [127.0.0.1] port 22.
    debug1: Connection established.
    debug1: identity file /home/user/.ssh/id_rsa type -1
    debug1: identity file /home/user/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1p1 Debia n-7ubuntu4.1
    debug1: match: OpenSSH_4.1p1 Debian-7ubuntu4.1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4.1
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 137/256
    debug2: bits set: 483/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'localhost' is known and matches the RSA host key.
    debug1: Found key in /home/user/.ssh/known_hosts:8
    debug2: bits set: 475/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /home/user/.ssh/id_rsa ((nil))
    debug2: key: /home/user/.ssh/id_dsa ((nil))
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/user/.ssh/id_rsa
    debug1: Trying private key: /home/user/.ssh/id_dsa
    debug2: we did not send a packet, disable method
    debug1: Next authentication method: password
    sft@localhost's password:
    debug2: we sent a password packet, wait for reply
    debug1: Authentication succeeded (password).
    debug2: fd 4 setting O_NONBLOCK
    debug1: channel 0: new [client-session]
    debug2: channel 0: send open
    debug1: Entering interactive session.
    debug2: callback start
    debug2: client_session2_setup: id 0
    debug1: Sending environment.
    debug1: Sending env LANG = en_GB.UTF-8
    debug2: channel 0: request env confirm 0
    debug1: Sending subsystem: sftp
    debug2: channel 0: request subsystem confirm 1
    debug2: callback done
    debug2: channel 0: open confirm rwindow 0 rmax 32768
    debug2: channel 0: rcvd adjust 131072
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug2: channel 0: rcvd eof
    debug2: channel 0: output open -> drain
    debug2: channel 0: obuf empty
    debug2: channel 0: close_write
    debug2: channel 0: output drain -> closed
    debug2: channel 0: rcvd close
    debug2: channel 0: close_read
    debug2: channel 0: input open -> closed
    debug2: channel 0: almost dead
    debug2: channel 0: gc: notify user
    debug2: channel 0: gc: user detached
    debug2: channel 0: send close
    debug2: channel 0: is dead
    debug2: channel 0: garbage collecting
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds
    debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
    debug1: Exit status 1
    Connection closed
    Second, the syslog entries for the sftp attempt.
    Code:
    user@ubuntubox:~$ sudo cat /var/log/syslog | tail -8
    Apr 16 23:34:16 localhost rssh[26642]: setting log facility to LOG_USER
    Apr 16 23:34:16 localhost rssh[26642]: allowing sftp to all users
    Apr 16 23:34:16 localhost rssh[26642]: setting umask to 022
    Apr 16 23:34:16 localhost rssh[26642]: chrooting all users to /home/chroot
    Apr 16 23:34:16 localhost rssh[26642]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper "/home/chroot" 2 "/home/sft" /usr/lib/sftp-server
    Apr 16 23:34:17 localhost rssh_chroot_helper[26642]: new session for sft, UID=1004
    Apr 16 23:34:17 localhost rssh_chroot_helper[26642]: could not cd to user's home dir: /home/sft
    Apr 16 23:34:17 localhost rssh_chroot_helper[26642]: execv() failed, /usr/lib/sftp-server: No such file or directory
    Alright, I first noticed that chrooted /home/sft (i.e. /home/chroot/home/sft) could not be cd'd to, so I created a directory like that but I didn't think that would have much of an effect... and right I was. Another failure to sftp. The syslog entries for this attempt:
    Code:
    user@ubuntubox:~$ sudo cat /var/log/syslog | tail -7
    Apr 16 23:45:29 localhost rssh[26982]: setting log facility to LOG_USER
    Apr 16 23:45:29 localhost rssh[26982]: allowing sftp to all users
    Apr 16 23:45:29 localhost rssh[26982]: setting umask to 022
    Apr 16 23:45:29 localhost rssh[26982]: chrooting all users to /home/chroot
    Apr 16 23:45:29 localhost rssh[26982]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper "/home/chroot" 2 "/home/sft" /usr/lib/sftp-server
    Apr 16 23:45:29 localhost rssh_chroot_helper[26982]: new session for sft, UID=1004
    Apr 16 23:45:29 localhost rssh_chroot_helper[26982]: execv() failed, /usr/lib/sftp-server: No such file or directory
    Okaaaay... now it's looking for /usr/lib/sftp-server (i.e. /home/chroot/usr/lib/sftp-server). Why is it looking for that? I thought it would be looking for /lib/sftp-server (i.e. /home/chroot/lib/sftp-server). Let's have a look at the entire contents of /home/chroot
    Code:
    user@ubuntubox:/home/chroot$ ls -lR
    .:
    total 20
    drwxr-xr-x  2 root root 4096 2006-04-16 07:40 dev
    drwxr-xr-x  2 root root 4096 2006-04-16 23:41 etc
    drwxr-xr-x  3 root root 4096 2006-04-16 23:41 home
    drwxr-xr-x  3 root root 4096 2006-04-16 23:45 lib
    drwxr-xr-x  4 root root 4096 2006-04-14 20:44 usr
    
    ./dev:
    total 0
    srw-rw-rw-  1 root root 0 2006-04-16 07:40 log
    
    ./etc:
    total 76
    -rw-r--r--  1 root root 56431 2006-04-14 20:44 ld.so.cache
    -rw-r--r--  1 root root    63 2006-04-14 20:44 ld.so.hwcappkgs
    -rw-r--r--  1 root root   465 2006-04-14 20:44 nsswitch.conf
    -rw-r--r--  1 root root    64 2006-04-16 23:41 passwd
    -rw-r--r--  1 root root    76 2006-04-16 23:33 passwd~
    
    ./home:
    total 4
    drwxr-xr-x  2 root root 4096 2006-04-16 23:41 sft
    
    ./home/sft:
    total 0
    
    ./lib:
    total 260
    -rwxr-xr-x  1 root root 88168 2006-04-14 20:47 ld-linux.so.2
    -rw-r--r--  1 root root 26332 2006-04-14 20:49 libnss_compat.so.2
    -rw-r--r--  1 root root 34268 2006-03-24 14:34 libnss_files-2.3.5.so
    lrwxrwxrwx  1 root root    21 2006-04-14 20:44 libnss_files.so.2 -> libnss_files-2.3.5.so
    -rw-r--r--  1 root root 68084 2006-04-14 20:44 libselinux.so.1
    -rwxr-xr-x  2 root root 27184 2006-04-14 20:44 sftp-server
    drwxr-xr-x  3 root root  4096 2006-04-14 20:44 tls
    
    ./lib/tls:
    total 4
    drwxr-xr-x  3 root root 4096 2006-04-14 20:44 i686
    
    ./lib/tls/i686:
    total 4
    drwxr-xr-x  2 root root 4096 2006-04-14 20:44 cmov
    
    ./lib/tls/i686/cmov:
    total 1408
    -rw-r--r--  1 root root   21864 2006-04-14 20:44 libcrypt.so.1
    -rw-r--r--  1 root root 1229936 2006-04-14 20:44 libc.so.6
    -rw-r--r--  1 root root    9580 2006-04-14 20:44 libdl.so.2
    -rw-r--r--  1 root root   76760 2006-04-14 20:44 libnsl.so.1
    -rw-r--r--  1 root root   67364 2006-04-14 20:44 libresolv.so.2
    -rw-r--r--  1 root root    9656 2006-04-14 20:44 libutil.so.1
    
    ./usr:
    total 8
    drwxr-xr-x  2 root root 4096 2006-04-14 20:44 bin
    drwxr-xr-x  5 root root 4096 2006-04-14 20:44 lib
    
    ./usr/bin:
    total 56
    -rwxr-xr-x  1 root root 18960 2006-04-14 20:44 rssh
    -rwxr-xr-x  1 root root 34884 2006-04-14 20:44 scp
    
    ./usr/lib:
    total 92
    drwxr-xr-x  3 root root  4096 2006-04-14 20:44 i686
    -rw-r--r--  1 root root 77208 2006-04-14 20:44 libz.so.1
    drwxr-xr-x  2 root root  4096 2006-04-14 20:44 openssh
    drwxr-xr-x  2 root root  4096 2006-04-14 20:44 rssh
    
    ./usr/lib/i686:
    total 4
    drwxr-xr-x  2 root root 4096 2006-04-14 20:44 cmov
    
    ./usr/lib/i686/cmov:
    total 1004
    -rw-r--r--  1 root root 1022224 2006-04-14 20:44 libcrypto.so.0.9.7
    
    ./usr/lib/openssh:
    total 28
    -rwxr-xr-x  2 root root 27184 2006-04-14 20:44 sftp-server
    
    ./usr/lib/rssh:
    total 8
    -rwsr-xr-x  1 root root 6680 2006-04-14 20:44 rssh_chroot_helper
    Right, sftp-server is present in /home/chroot/usr/lib/openssh and /home/chroot/lib/. Now, let's make a link in /home/chroot/usr/lib...
    Code:
    user@ubuntubox:/home/chroot$ sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/
    And try to sftp in...
    Code:
    user@ubuntubox:~$ sftp sft@localhost
    Connecting to localhost...
    sft@localhost's password:
    sftp> pwd
    Remote working directory: /home/sft
    sftp> ls
    test.txt
    sftp> get test.txt
    Fetching /home/sft/test.txt to test.txt
    /home/sft/test.txt                            100%    6     0.0KB/s   00:00
    sftp> bye
    user@ubuntubox:~$ cat ./test.txt
    Successful sftp test!
    Ta-daa! I am honestly not sure what went wrong during setup - was it because my /etc/sshd_config points at /usr/lib/sftp-server as the location of sftp-server?
    Code:
    user@ubuntubox:~$ cat /etc/ssh/sshd_config | grep sftp
    Subsystem sftp /usr/lib/sftp-server
    Anyway, I'm just glad to get it working. Thanks for your help, Jimmy!

    // Dave
    Last edited by juicybananahead; April 17th, 2006 at 02:26 PM.

  4. #14
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Oh, thanks. You found an error in my howto. I wrote
    Now you have to fix your chroot directory setup (you need to be able to run "/usr/lib/sftp-server" even when chrooted). To do this, create a hard link between for "/home/chroot/usr/lib/openssh/sftp-server" at "/home/chroot/lib/" using the following command:
    Code:
    sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/lib/
    It should be:
    Now you have to fix your chroot directory setup (you need to be able to run "/usr/lib/sftp-server" even when chrooted). To do this, create a hard link between for "/home/chroot/usr/lib/openssh/sftp-server" at "/home/chroot/usr/lib/" using the following command:
    Code:
    sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/
    I'll be sure to correct this in the howto. Thanks again. Sorry for the trouble.
    -Jimmy

  5. #15
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Oh juicybananahead, you do not need sftp-server in /home/chroot/lib/. You can delete that one if you created it.
    -Jimmy

  6. #16
    Join Date
    Aug 2005
    Beans
    173

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    i'm getting this error, any sugestions would be great

    Apr 27 09:47:32 localhost rssh[25930]: command: /usr/lib/sftp-server
    Apr 27 09:48:00 localhost rssh[25948]: setting log facility to LOG_USER
    Apr 27 09:48:00 localhost rssh[25948]: setting umask to 022
    Apr 27 09:48:00 localhost rssh[25948]: chrooting all users to /home/chroot
    Apr 27 09:48:00 localhost rssh[25948]: user sft attempted to execute forbidden commands
    Apr 27 09:48:00 localhost rssh[25948]: command: /usr/lib/sftp-server

  7. #17
    Join Date
    Aug 2005
    Beans
    173

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    ahh found my problem, have to edit rssh.config and add sftp as an allowed command

  8. #18
    Join Date
    May 2006
    Beans
    17

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Hi,

    I'm having the same Mega's problem, but my /etc/rssh.conf is correct.

    Code:
    May 13 00:30:47 localhost rssh[7527]: setting log facility to LOG_USER
    May 13 00:30:47 localhost rssh[7527]: allowing scp to all users
    May 13 00:30:47 localhost rssh[7527]: allowing sftp to all users
    May 13 00:30:47 localhost rssh[7527]: setting umask to 022
    May 13 00:30:47 localhost rssh[7527]: chrooting all users to /home/chroot
    May 13 00:30:47 localhost rssh[7527]: user test attempted to execute forbidden commands
    May 13 00:30:47 localhost rssh[7527]: command: /usr/lib/openssh/sftp-server
    I can use the "scp" command, but I'm not having success with sftp.

    Any idea?

    Ps: Ok, my fault!! I found the problem, the sftp-server's path. This howto is perfectly correct but I don't know the real necessity of passwd file inside of jail. I don't have this file and jail works.
    Last edited by chuckao; May 14th, 2006 at 06:19 PM.

  9. #19
    Join Date
    Apr 2006
    Beans
    2

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    I followed through with your tutorial, but I had a few differences...I'm running Dapper, so that's whats to be expected. When I ran rssh -v, I had the following:
    Code:
    # rssh -v
    
    rssh 2.3.0
    Copyright 2002-5 Derek D. Martin <rssh-discuss at lists dot sourceforge dot net>
        rssh config file = /etc/rssh.conf
      chroot helper path = /usr/lib/rssh/rssh_chroot_helper
         scp binary path = /usr/bin/scp
      sftp server binary = /usr/lib/openssh/sftp-server
         cvs binary path = /usr/bin/cvs
       rdist binary path = /usr/bin/rdist
       rsync binary path = /usr/bin/rsync
    This means that rssh thinks the sftp-server command is in /usr/lib/openssh, correct? So, I setup the mkchroot.sh script as follows
    Code:
    # nano ~/mkchroot.sh
    ...
    scp_path="/usr/bin/scp"
    sftp_server_path="/usr/lib/openssh/sftp-server"
    rssh_path="/usr/bin/rssh"
    chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"
    ...
    Now for the part about creating the sym/hard links and editing /etc/ssh/sshd_config, I shouldn't need to do that since rssh knows the proper directory for sftp-server, correct? I didn't think so at first, so I skipped over that part and finished the tutorial, but when I try to log in I immediately get a connection closed after typing the correct password, and my logs show
    Code:
    # cat /var/log/syslog | tail -8
    May 13 12:38:33 localhost rssh[22813]: setting umask to 022
    May 13 12:38:33 localhost rssh[22813]: chrooting all users to /media/files/pub
    May 13 12:38:33 localhost rssh[22813]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
    May 13 12:38:33 localhost rssh_chroot_helper[22813]: new session for sft, UID=10000
    May 13 12:38:33 localhost rssh_chroot_helper[22813]: user's home dir is /media/files/pub/home/sft
    May 13 12:38:33 localhost rssh_chroot_helper[22813]: chrooted to /media/files/pub
    May 13 12:38:33 localhost rssh_chroot_helper[22813]: changing working directory to /home/sft (inside jail)
    May 13 12:38:33 localhost rssh_chroot_helper[22813]: execv() failed, /usr/lib/openssh/sftp-server: Permission denied
    So, I went through the linking + editing process, and got the same error logging in, but a different error in the logs:
    Code:
    # cat /var/log/syslog | tail -8
    May 13 12:59:31 localhost rssh[23480]: user sft attempted to execute forbidden commands
    May 13 12:59:31 localhost rssh[23480]: command: /usr/lib/sftp-server
    May 13 13:01:40 localhost rssh[23644]: setting log facility to LOG_USER
    May 13 13:01:40 localhost rssh[23644]: allowing sftp to all users
    May 13 13:01:40 localhost rssh[23644]: setting umask to 022
    May 13 13:01:40 localhost rssh[23644]: chrooting all users to /media/files/pub
    May 13 13:01:40 localhost rssh[23644]: user sft attempted to execute forbidden commands
    May 13 13:01:40 localhost rssh[23644]: command: /usr/lib/sftp-server
    I'm pretty sure that log contains two failed login attempts, not just one, as can be seen from the timestamps. So it seemed I was right the first time, but that still leaves the permission error. I checked, and rssh_chroot_helper is set chmod u+s, both the real file and the chrooted one. Both the real and chrooted sftp-server files are executable by world, and their directories can be read/browsed by world. So I'm stuck now; anybody have any ideas what the problem is?

    Before I forget, my /etc/rssh/rssh.config
    Code:
    # cat /etc/rssh/rssh.config
    # This is the default rssh config file
    
    # set the log facility.  "LOG_USER" and "user" are equivalent.
    logfacility = LOG_USER
    
    # Leave these all commented out to make the default action for rssh to lock
    # users out completely...
    
    #allowscp
    allowsftp
    #allowcvs
    #allowrdist
    #allowrsync
    
    # set the default umask
    umask = 022
    
    # If you want to chroot users, use this to set the directory where the root of
    # the chroot jail will be located.
    #
    # if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
     chrootpath = "/media/files/pub"
    
    # You can quote anywhere, but quotes not required unless the path contains a
    # space... as in this example.
    #chrootpath = "/usr/local/my chroot"
    
    ##########################################
    # EXAMPLES of configuring per-user options
    
    #user=rudy:077:00010:  # the path can simply be left out to not chroot
    #user=rudy:077:00010   # the ending colon is optional
    
    #user=rudy:011:00100:  # cvs, with no chroot
    #user=rudy:011:01000:  # rdist, with no chroot
    #user=rudy:011:10000:  # rsync, with no chroot
    #user="rudy:011:00001:/usr/local/chroot"  # whole user string can be quoted
    #user=rudy:01"1:00001:/usr/local/chroot"  # or somewhere in the middle, freak!
    #user=rudy:'011:00001:/usr/local/chroot'  # single quotes too
    
    # if your chroot_path contains spaces, it must be quoted...
    # In the following examples, the chroot_path is "/usr/local/my chroot"
    #user=rudy:011:00001:"/usr/local/my chroot"  # scp with chroot
    #user=rudy:011:00010:"/usr/local/my chroot"  # sftp with chroot
    #user=rudy:011:00011:"/usr/local/my chroot"  # both with chroot
    
    # Spaces before or after the '=' are fine, but spaces in chrootpath need
    # quotes.
    #user = "rudy:011:00001:/usr/local/my chroot"
    #user = "rudy:011:00001:/usr/local/my chroot"  # neither do comments at line end
    And the relevant line from /etc/passwd (present in the chrooted directory)
    Code:
    # cat passwd
    sft:x:10000:10000:New User,,,:/home/sft:/usr/bin/rssh
    Let me know if you need more info.

    EDIT:
    OK, I wasn't thinking. I had the filesystem the chrooted environment was in mounted noexec, so of course I was getting permission denied errors. A simple remount solved my problem.
    Last edited by OnlyJedi; May 13th, 2006 at 07:01 PM. Reason: Problem solved

  10. #20
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Quote Originally Posted by chuckao
    Ps: Ok, my fault!! I found the problem, the sftp-server's path. This howto is perfectly correct but I don't know the real necessity of passwd file inside of jail. I don't have this file and jail works.
    I added this because I adapted this from the gentoo one. They mentioned it, so I figured that I'd add it too. I think it is only needed for scp though.
    -Jimmy

Page 2 of 11 FirstFirst 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •