Hi rssh users, This is a slightly modified cross-post from Debian User Forums (http://forums.debian.net/). There alternative solutions were recommended, but I want to use rssh.
------------------------------------------------------------------------------- The goal: ------------------------------------------------------------------------------- I'm trying to set up a Lenny server to provide chrooted sftp-only access to a subset of users using rssh. I had the same configuration working on sarge and etch (with rssh). I still have a working environment on a sarge installation. ------------------------------------------------------------------------------- How I am trying to achieve it: ------------------------------------------------------------------------------- I started from a clean Lenny install. I apt-get installed rssh, edited /etc/rssh.conf liket this: user = user:022:00011:/home/user Edited /etc/passwd: user:x:1000:1000:User,,,:/home/user:/usr/bin/rssh Then created a chroot environment using: /usr/share/doc/rssh/examples/mkchroot.sh The (later modified) chroot environment looks like this: debian:/home/user# ls -R .: dev etc lib usr ./dev: log null ./etc: ld.so.cache ld.so.conf ld.so.conf.d nsswitch.conf passwd shadow ./etc/ld.so.conf.d: i486-linux-gnu.conf libc.conf ./lib: i686 libnss_files-2.7.so libpamc.so.0 ld-linux.so.2 libnss_files.so.2 libpamc.so.0.81.0 libcom_err.so.2 libnss_hesiod-2.7.so libpam_misc.so.0 libkeyutils.so.1 libnss_hesiod.so.2 libpam_misc.so.0.81.3 libnss_compat-2.7.so libnss_nis-2.7.so libpam.so.0 libnss_compat.so.2 libnss_nisplus-2.7.so libpam.so.0.81.12 libnss_dns-2.7.so libnss_nisplus.so.2 libnss_dns.so.2 libnss_nis.so.2 ./lib/i686: cmov ./lib/i686/cmov: libcrypt.so.1 libdl.so.2 libpthread.so.0 libutil.so.1 libc.so.6 libnsl.so.1 libresolv.so.2 ./usr: bin lib ./usr/bin: rssh scp ./usr/lib: i686 libk5crypto.so.3 libkrb5support.so.0 openssh libgssapi_krb5.so.2 libkrb5.so.3 libz.so.1 rssh ./usr/lib/i686: cmov ./usr/lib/i686/cmov: libcrypto.so.0.9.8 ./usr/lib/openssh: sftp-server ./usr/lib/rssh: rssh_chroot_helper ------------------------------------------------------------------------------- The problem: ------------------------------------------------------------------------------- It's not working, "user" can use neither sftp nor scp. If I start sshd with # /usr/sbin/sshd -p2222 -ddd and user tries to log in on port 2222, this gets logged: subsystem request for sftp debug1: subsystem: exec() /usr/lib/openssh/sftp-server debug2: fd 3 setting TCP_NODELAY debug2: fd 10 setting O_NONBLOCK debug2: fd 9 setting O_NONBLOCK debug3: mm_request_receive entering debug1: Received SIGCHLD. Seems like the sftp-server can't start up. The client log is like this: debian:~# sftp -v u...@localhost Connecting to localhost... OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'localhost' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug1: Next authentication method: password u...@localhost's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Requesting [email protected] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US debug1: Sending subsystem: sftp debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK Transferred: sent 1424, received 1960 bytes, in 0.0 seconds Bytes per second: sent 43261.7, received 59545.7 debug1: Exit status -1 Connection closed debian:~# ------------------------------------------------------------------------------- What I have tried so far: ------------------------------------------------------------------------------- # cp /etc/shadow /home/user/etc/shadow # cp /lib/libnss_* /home/user/lib/ # cp /lib/libpam* /home/user/lib/ Didn't make any difference. # chown a+s /usr/lib/rssh/rssh_chroot_helper Surprisingly, setuid was not set by "apt-get install". But it didn't solve the problem. Setting "UsePrivilegeSeparation no" in the sshd config file. Tried the same setup without chroot. If the rssh.config looks like this: user = user:022:00011: It's working, the user can only log in with sftp, but obviously is not chrooted. The following command doesn't exit immediately: /home/user# chroot . usr/lib/openssh/sftp-server It behaves the same way as on Sarge with a working setup. I've tried using the chroot environment from the working Sarge setup. It didn't work. Added "/usr/bin/rssh" to /etc/shells. Didn't solve the problem. scpoly: I've tried scponly as an alternative solution. It also works without the chroot jail. When trying scponlyc (the chrooted version), I created the chroot with /usr/share/doc/scponly/setup_chroot/setup_chroot.sh.gz The results are the same. The log is also the same: subsystem request for sftp debug1: subsystem: exec() /usr/lib/openssh/sftp-server debug2: fd 3 setting TCP_NODELAY debug2: fd 10 setting O_NONBLOCK debug2: fd 9 setting O_NONBLOCK User child is on pid 3808 debug3: mm_request_receive entering debug1: Received SIGCHLD. ------------------------------------------------------------------------------- How can I get more debug information? What could have changed from Etch to Lenny in this area? Any other ideas, suggestions? Thanks for your help, -- Mate ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
