Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
Sven; tx again, for your reply... my only interest is sftp - so maybe scponly/rssh is worth looking at i've ruled out proftpd on the port 22 issues alone. so failing rssh, i guess i'll just have to deal with added directory layers, and stock openssh; though still toying with idea of mysecureshell; have used it previously with good results, but really wanted to try to stay true to the dist. this time around actually just had a thought - i didn't try doing a root:root chmod 750, and then over-riding with a group-specific acl. wonder if chroot would behave well in that cross-circuit... :-)
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
On Mon, Jan 06, 2014 at 03:47:59PM -0600, Bob Goldberg wrote: On Sat, Jan 4, 2014 at 7:26 AM, Sven Hoexter s...@timegate.de wrote: I'm not sure how the OpenSSH implementation handles ACLs, maybe that's an option but I did not test it. my first problem is successfully logging in with sftp-only and chroot'ing in place. AFAIK - ACL's would only come into play afterward. Yes, but that should work. I read your mail as it does not work if you enhance to the $HOME to group writeable or something like that. I did not verify that case at all. So I would start with setting it up user access only and try to add ACLs to make it group writeable or whatever is required later on. proftpd: 1) wheezy does not have an sftp module No, $ cat /etc/debian_version 7.3 $ dpkg -L proftpd-basic|grep sftp /usr/lib/proftpd/mod_sftp.so /usr/lib/proftpd/mod_sftp_sql.so /usr/lib/proftpd/mod_sftp_pam.so 2) proftpd appears to rely on openssh for sftp, so appears to add no value. No, it's a standalone implementation. 3) IF proftpd did provide working sftp - appears that it can not share port 22 w/ openssh (which i do still need for full-access users unrelated to SFTP). True, you can of course do nasty quirks with iptables to NAT to different ports depending on the source IP. But that is really nasty. scponly: does not appear to be provided in wheezy !?!? can't find out why [Date: Mon, 23 Jan 2012 22:09:19 +] [ftpmaster: Luca Falavigna] Removed the following packages from unstable: scponly |4.8-4.1 | source, amd64, armel, armhf, hurd-i386, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc scponly-full |4.8-4.1 | amd64, armel, armhf, hurd-i386, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc Closed bugs: 650590 --- Reason --- RoQA; RC buggy, unmaintained, replacement exists -- from https://ftp-master.debian.org/removals-2012.txt Though nothing prohibits you from building a package based on the last version found on snapshot.debian.org or just use the source Luke. ;) rssh/rush: 1) not sure what is: diff rssh rush (searches come up worthless to answer this) Different implementation/software for a similar/same task. 3) mixed security record is a big concern. Well I can mostly speak for the scponly case: Parsing commandline arguments in a safe way for different tools like svn, rsync etc. is hard. If you disable most of that and only stick to the sftp support it's quite solid. Still if I've a chance I would try to rely on the sftp-internal and chroot() functionallity of OpenSSH. Sven -- we live we love we learn and breathe each breath we take makes me believe that we can take this road forever if we take this road together [ AZ0 - Endless Roads ] -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140107094032.ga3...@timegate.de
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
On Sat, Jan 4, 2014 at 7:26 AM, Sven Hoexter s...@timegate.de wrote: I'm not sure how the OpenSSH implementation handles ACLs, maybe that's an option but I did not test it. my first problem is successfully logging in with sftp-only and chroot'ing in place. AFAIK - ACL's would only come into play afterward. Then there is Proftpd which has a mod_sftp extension. And there are still the solutions which predate the chroot() and sftp-internal implementation possible with OpenSSH like - scponly - rssh - rush All of them have a somewhat mixed security record and have some cost in terms of chroot setup and mainting them properly. Sven, TX much for your reply... proftpd: 1) wheezy does not have an sftp module 2) proftpd appears to rely on openssh for sftp, so appears to add no value. 3) IF proftpd did provide working sftp - appears that it can not share port 22 w/ openssh (which i do still need for full-access users unrelated to SFTP). scponly: does not appear to be provided in wheezy !?!? can't find out why rssh/rush: 1) not sure what is: diff rssh rush (searches come up worthless to answer this) 2) i haven't used rssh in a very long time - i guess i have to dig into it again to see if it will allow chroot'ing with group w perms. 3) mixed security record is a big concern.
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
On Fri, Jan 03, 2014 at 04:14:42PM -0600, Bob Goldberg wrote: so my question now very simply becomes: what do demanding admin's choose as a preferred SFTP server, that allows chrooting WITH group w access I'm not sure how the OpenSSH implementation handles ACLs, maybe that's an option but I did not test it. Then there is Proftpd which has a mod_sftp extension. And there are still the solutions which predate the chroot() and sftp-internal implementation possible with OpenSSH like - scponly - rssh - rush All of them have a somewhat mixed security record and have some cost in terms of chroot setup and mainting them properly. Sven -- There we were, the three of us, the thief the king and I. Finally, we were forced to see, we were equals in the night. [Streetlight Manifesto - The three of us] -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140104132658.ga3...@garkbit.lan
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
On 04/01/14 13:26, Sven Hoexter wrote: On Fri, Jan 03, 2014 at 04:14:42PM -0600, Bob Goldberg wrote: so my question now very simply becomes: what do demanding admin's choose as a preferred SFTP server, that allows chrooting WITH group w access I'm not sure how the OpenSSH implementation handles ACLs, maybe that's an option but I did not test it. Then there is Proftpd which has a mod_sftp extension. And there are still the solutions which predate the chroot() and sftp-internal implementation possible with OpenSSH like - scponly - rssh - rush All of them have a somewhat mixed security record and have some cost in terms of chroot setup and mainting them properly. Sven Hello I think it's implementable on Debian as well. https://sites.google.com/site/jupiter2005ster/redhat-centos/sftp-server -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52c80d58@gmail.com
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
Bob Goldberg bobg.h...@gmail.com wrote: trying to determine best solution for an SFTP server. vsftpd appears to be my current best choice vsftpd is Very Secure FTP Daemon. It does FTP well (cleartext passwords notwithstanding). It doesn't do SFTP (file transfer over ssh). users must be chroot'ed to /home/chroot/home/username. users belong to the chroot group. their home dir down, need all be group owned by chmgr. home dir down; should all be chmod 770(dir)/660(files). so user and managers (chmgr group) all have rw access to files, and rwx /dirs; with other having no rights at all. managers ideally chroot'ed to /home/chroot/home. they can access all username folders, and transfer files in/out of each. they belong to the chmgr group. Sounds exactly like a job for the Match directive within a standard sshd_config (openssh-server). Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ofhlpaxr2f@news.roaima.co.uk
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
Match User user01 ChrootDirectory /home ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no Match User user02 ChrootDirectory /home ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no useradd -m user01 useradd -m user02 chmod 300 /home/user02 restart sshd daemon [root@nod01 ~]# sftp user02@localhost user02@localhost's password: Connected to localhost. sftp cd user02 sftp ls remote readdir(/user02): Permission denied sftp mkdir hello In few words, the user user02 can only write and user user01 can write and read 2014/1/4 Chris Davies ch...@roaima.co.uk Bob Goldberg bobg.h...@gmail.com wrote: trying to determine best solution for an SFTP server. vsftpd appears to be my current best choice vsftpd is Very Secure FTP Daemon. It does FTP well (cleartext passwords notwithstanding). It doesn't do SFTP (file transfer over ssh). users must be chroot'ed to /home/chroot/home/username. users belong to the chroot group. their home dir down, need all be group owned by chmgr. home dir down; should all be chmod 770(dir)/660(files). so user and managers (chmgr group) all have rw access to files, and rwx /dirs; with other having no rights at all. managers ideally chroot'ed to /home/chroot/home. they can access all username folders, and transfer files in/out of each. they belong to the chmgr group. Sounds exactly like a job for the Match directive within a standard sshd_config (openssh-server). Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ofhlpaxr2f@news.roaima.co.uk -- esta es mi vida e me la vivo hasta que dios quiera
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
Hello I'm so sorry to cite from a website but when I tried to send the link of the site I got a bounce error from lists.debian... so here is the site: /This came up today where I needed to give secure file transfer to customers. To complicate things I had to use an out-of-the-box RHEL6 system. The obvious answer was to use SSH and limit those users to SFTP only. Locking them into a chroot was not a requirement, but it seemed like a good idea to me. I found plenty of docs that got 80% of the way, or took a shortcut, but this should be complete./ // /The basic steps are:/ // 1. /Create a group and the users to that group/ 2. /Modify the SSH daemon configuration to limit a group to sftp only/ 3. /Setup file system permissions/ 4. /Configure SELinux/ 5. /Test (of course)/ // /Without further ado, lets get started. It should only take about 10 minutes, nothing here is especially complex./ // /Create a group that is limited to SFTP only and a user to be in that group./ // /1// //2// //3// / /|groupadd sftponly useradd sftptest usermod -aG sftponly sftptest|/ // /Now you need to make a little change to //|/etc/ssh/sshd_config|//. There will be a Subsystem line for |sftp| which you need to change to read:/ // /1// / /|Subsystem sftpinternal-sftp|/ // /Now you need to create a block at the end to limit members of a group (ie the sftponly group you created above) and chroot them. Simply add the following to the end of the file:/ // /1// //2// //3// //4// //5// / /|Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no|/ // /These changes will require a reload of the SSH daemon: //|service sshd reload|/ // /Now you need to make some file permission changes. For some reason which I cannot work out for now, the home directory must be owned by root and have the permissions 755. So we will also need to make a folder in the home directory to upload to and make that owned by the user./ // /1// //2// //3// //4// / /|sudo -u sftptest mkdir -pv /home/sftptest/upload chown root. /home/sftptest chmod 755 /home/sftptest chgrp -R sftponly /home/sftptest|/ // /The last thing we need to do is tell SELinux that we want to upload files via SFTP to a chroot as it is read-only by default. Of course you are running SELinux in enforcing mode aren't you :)/ // /1// / /|setsebool -P ssh_chroot_rw_homedirs on|/ // /Now from another console you can sftp to your server/ // /1// / /|sftp sftptest@server|/ // /You should then be able to put a file in your upload folder. However if you try to ssh to the server as the user sftptest it should tell you to go away. Of course you should be able to ssh as your normal user with no problem. Pro tip: make sure to leave a root terminal open just in case./ I'm sure it can be used on Debian as well. Balint On 04/01/14 15:30, emmanuel segura wrote: Match User user01 ChrootDirectory /home ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no Match User user02 ChrootDirectory /home ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no useradd -m user01 useradd -m user02 chmod 300 /home/user02 restart sshd daemon [root@nod01 ~]# sftp user02@localhost user02@localhost's password: Connected to localhost. sftp cd user02 sftp ls remote readdir(/user02): Permission denied sftp mkdir hello In few words, the user user02 can only write and user user01 can write and read 2014/1/4 Chris Davies ch...@roaima.co.uk mailto:ch...@roaima.co.uk Bob Goldberg bobg.h...@gmail.com mailto:bobg.h...@gmail.com wrote: trying to determine best solution for an SFTP server. vsftpd appears to be my current best choice vsftpd is Very Secure FTP Daemon. It does FTP well (cleartext passwords notwithstanding). It doesn't do SFTP (file transfer over ssh). users must be chroot'ed to /home/chroot/home/username. users belong to the chroot group. their home dir down, need all be group owned by chmgr. home dir down; should all be chmod 770(dir)/660(files). so user and managers (chmgr group) all have rw access to files, and rwx /dirs; with other having no rights at all. managers ideally chroot'ed to /home/chroot/home. they can access all username folders, and transfer files in/out of each. they belong to the chmgr group. Sounds exactly like a job for the Match directive within a standard sshd_config (openssh-server). Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org mailto:debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org mailto:listmas...@lists.debian.org Archive: http://lists.debian.org/ofhlpaxr2f@news.roaima.co.uk -- esta es mi vida e
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
[Please don't top post on this mailing list.] On Sat, Jan 04, 2014 at 03:34:58PM +, Balint Szigeti wrote: Hello I'm so sorry to cite from a website but when I tried to send the link of the site I got a bounce error from lists.debian. That is weird! I suggest it wasn't just a simple copy and paste, otherwise it wouldn't have happened. -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140105021052.GB5090@tal
Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
trying to determine best solution for an SFTP server. vsftpd appears to be my current best choice, mostly because it's supported by the distribution; but i'm not sure it meets my needs. I know mysecureshell meets my needs; but it's a sourceforge project, and not directly supported by the deb dist. Here's where my needs cause problems - especially with chroot/openssh: i have 2 classes of users accessing this sftp server. users and managers. The problem is that managers need group rw rights, and normal chroot does not allow for ANY group w rights. users must be chroot'ed to /home/chroot/home/username. users belong to the chroot group. their home dir down, need all be group owned by chmgr. home dir down; should all be chmod 770(dir)/660(files). so user and managers (chmgr group) all have rw access to files, and rwx /dirs; with other having no rights at all. managers ideally chroot'ed to /home/chroot/home. they can access all username folders, and transfer files in/out of each. they belong to the chmgr group. so - yes, i know i can chmod 750 the username dir, and then use sub-dir's under that are chmod 770; but this is messy, and forces another layer of dir's i'd prefer not to have. so i guess my main question, simply is - can i do what i want with: - vsftpd ? (preferred as is dist. supported) - other ? - mysecureshell - i KNOW this will do what i want; but not dist. supported. what do demanding admin's choose as their preferred sftp server ? TIA - Bob
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
ADDENDUM: forget about vsftp - this package has NOTHING WHAT-SO-EVER to do with SFTP. WTH were they thinking when they named that package!? so my question now very simply becomes: what do demanding admin's choose as a preferred SFTP server, that allows chrooting WITH group w access On Fri, Jan 3, 2014 at 12:52 PM, Bob Goldberg bobg.h...@gmail.com wrote: trying to determine best solution for an SFTP server. vsftpd appears to be my current best choice, mostly because it's supported by the distribution; but i'm not sure it meets my needs. I know mysecureshell meets my needs; but it's a sourceforge project, and not directly supported by the deb dist. Here's where my needs cause problems - especially with chroot/openssh: i have 2 classes of users accessing this sftp server. users and managers. The problem is that managers need group rw rights, and normal chroot does not allow for ANY group w rights. users must be chroot'ed to /home/chroot/home/username. users belong to the chroot group. their home dir down, need all be group owned by chmgr. home dir down; should all be chmod 770(dir)/660(files). so user and managers (chmgr group) all have rw access to files, and rwx /dirs; with other having no rights at all. managers ideally chroot'ed to /home/chroot/home. they can access all username folders, and transfer files in/out of each. they belong to the chmgr group. so - yes, i know i can chmod 750 the username dir, and then use sub-dir's under that are chmod 770; but this is messy, and forces another layer of dir's i'd prefer not to have. so i guess my main question, simply is - can i do what i want with: - vsftpd ? (preferred as is dist. supported) - other ? - mysecureshell - i KNOW this will do what i want; but not dist. supported. what do demanding admin's choose as their preferred sftp server ? TIA - Bob
Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
On 01/03/2014 05:14 PM, Bob Goldberg wrote: ADDENDUM: forget about vsftp - this package has NOTHING WHAT-SO-EVER to do with SFTP. WTH were they thinking when they named that package!? Well, Very Secure FTP (vsftp) was initially released back in Feb of 2001. The sftp protocal does technically predate that, but apparently was just a little-used proprietary protocol for awhile. Wikipedia shows some IETF Internet Drafts from 2001, but I doubt it was well known at the time. so my question now very simply becomes: what do demanding admin's choose as a preferred SFTP server, that allows chrooting WITH group w access Wish I could help with that, but I've only ever used openssh's implementation, and without chrooting for that matter. - PaulNM -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52c741e7.9070...@paulscrap.com
SFTP con chroot
Hola a tod@s, necesito una ayudita para terminar de configurar SFTP con Chroot. He seguido los pasos de este manual: http://www.pastelero.net/2008/05/14-openssh-sftp-chroot-con-chrootdirectory/ Todo funciona correctamente menos la parte más importante, no puedo escribir en el directorio home del usuario Ej: user... Error: Error: /test.txt: open for write: permission denied Error: Transferencia fallida Alguna sugerencia. Gracias por todo, un saludo. -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+ylrtcjsgvpw0u9xe5v0p8ky4sbshff14-wox-vzlj3sbg...@mail.gmail.com
Re: SFTP con chroot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sergio Villalba escribió: Hola a tod@s, necesito una ayudita para terminar de configurar SFTP con Chroot. He seguido los pasos de este manual: http://www.pastelero.net/2008/05/14-openssh-sftp-chroot-con-chrootdirectory/ Todo funciona correctamente menos la parte más importante, no puedo escribir en el directorio home del usuario Ej: user... Error: Error:/test.txt: open for write: permission denied Error:Transferencia fallida Alguna sugerencia. Buenas. Cual es el sftp que estas usando? vsftp? Así sin mirar mas diría que es un tema de permisos. El usuario con el que accedes, tiene permisos sobre la carpeta a la que accede? Gracias por todo, un saludo. Un saludo - -- Si los tontos volaran, el cielo se oscurecería No me envié correos en formatos propietarios http://www.gnu.org/philosophy/no-word-attachments.es.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPzKsZAAoJEOWNzQnqy+fzjD8IAKtY0koUqGKaehzeUPdf/QAU puUTtXwzjwAJt82a0+aLGcMQww7E+b5NNZrepa4qFsktAW9DklL6ylreZoZ1qyHD uAe2K62AKt33exc4tyUasmTKImBPUjTm0hSulqZQMlyfq0Fox2GC6aW2CD/oPx6C LfDVEjeqNLDsdOsuLbZVvn4rEwFmIyco5rNLM+EsotP4/eS3pZqeo2CC3pZa6hGe tbzVjZNV8sczRWnPtf4EPslkkD5LiXl2G/l8eaDUZXrHrlzh4tR3eWvaLQp4MX+c S70ojlSSjstnZNWo7rlAUspCYfB7PJktcn33f+ML7t5y1Uuowdub3EX55XYdWUo= =Jd0c -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/blu0-smtp12716b4737d045456057b0ab1...@phx.gbl
Re: SFTP con chroot
El Mon, 04 Jun 2012 14:04:46 +0200, Sergio Villalba escribió: necesito una ayudita para terminar de configurar SFTP con Chroot. He seguido los pasos de este manual: http://www.pastelero.net/2008/05/14-openssh-sftp-chroot-con-chrootdirectory/ Todo funciona correctamente menos la parte más importante, no puedo escribir en el directorio home del usuario Ej: user... Error: Error:/test.txt: open for write: permission denied Error:Transferencia fallida Parece un problema de permisos :-? ls -la /home Saludos, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jqidju$d82$6...@dough.gmane.org
Re: SFTP con chroot
El 2012-06-04 15:35, Camaleón escribió: El Mon, 04 Jun 2012 14:04:46 +0200, Sergio Villalba escribió: necesito una ayudita para terminar de configurar SFTP con Chroot. He seguido los pasos de este manual: http://www.pastelero.net/2008/05/14-openssh-sftp-chroot-con-chrootdirectory/ [1] Todo funciona correctamente menos la parte más importante, no puedo escribir en el directorio home del usuario Ej: user... Error: Error: /test.txt: open for write: permission denied Error:Transferencia fallida Parece un problema de permisos :-? ls -la /home Saludos, -- Camaleón Yo tuve un problema similar, necesitaba enjaular a los usuarios por ssh para poder subir ficheros y demás... La sorpresa fué precisamente ésa, que después de configurar todo OK, no me dejaba subir nada. Eso era porque tienes que darle permisos a esa carpeta de root:root y por eso no te dejaba subir, si cambias los permisos, ya no funciona ni la conexión... Al final opté por algo más sencillo y es utilizar ftp + tls con proftpd y enjaular a los users en el directorio que quieras, y que no puedan moverse de ahí(opcion que está en el fichero de configuración de proftpd). Espero te sirva, saludos. Links: -- [1] http://www.pastelero.net/2008/05/14-openssh-sftp-chroot-con-chrootdirectory/
Re: sftp with chroot?
Eugene Apolinary wrote: I want to make an sftp server - Only an sftp server - Some users may log in by ssh (with openssh-server), some users can only use sftp - Important! - Chroot! Users using sftp must only see e.g.: their home directory, or better: a folder in it. - Under Debian Lenny Is there any good, secure solution? At least links to howtos? :S Have a look at the keyword ChrootDirectory in man sshd_config. On my server, I have two groups for users: sshusers and sftpusers. In my /etc/ssh/sshd_config file, I have only: [...] Subsystem sftp internal-sftp AllowGroups sshusers sftpusers # Chroot for sftp users Match Group sftpusers ChrootDirectory /home/sftp X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp [...] See also: http://www.debian-administration.org/articles/590 Xavier -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
sftp with chroot?
Hi I want to make an sftp server - Only an sftp server - Some users may log in by ssh (with openssh-server), some users can only use sftp - Important! - Chroot! Users using sftp must only see e.g.: their home directory, or better: a folder in it. - Under Debian Lenny Is there any good, secure solution? At least links to howtos? :S Thank You!
Re: sftp with chroot?
On Sat, Aug 1, 2009 at 2:50 PM, Eugene Apolinaryeugeneapolinar...@yahoo.com wrote: - Only an sftp server - Some users may log in by ssh (with openssh-server), some users can only use sftp - Important! - Chroot! Users using sftp must only see e.g.: their home directory, or better: a folder in it. - Under Debian Lenny Is there any good, secure solution? At least links to howtos? :S I've used rssh to do this: http://packages.debian.org/lenny/rssh http://www.pizzashack.org/rssh/ Note, however, that setting up a chroot jail generally requires making copies of system libraries and binaries in the chroot'ed directory, so you may not want to go to the effort and clutter of setting this up in each user's home directory. (The rssh package includes more details.) Josh Kelley -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: sftp with chroot?
I'm trying #!/bin/bash apt-get install scponly dpkg-reconfigure scponly # Select: Yes cd /usr/share/doc/scponly/setup_chroot gunzip setup_chroot.sh.gz sh setup_chroot.sh # Just use default settings Ok, now I: echo /var/log/auth.log Then try to log in: sftp scpo...@localhost Connection closed. log: http://pastebin.com/fbc34c01 Why doesn't it work??? p.s.: Yes, I copy the sftpd-server to /home/scponly/usr/lib/sftpd-server is it a bug? :( --- On Sat, 8/1/09, Eugene Apolinary eugeneapolinar...@yahoo.com wrote: From: Eugene Apolinary eugeneapolinar...@yahoo.com Subject: sftp with chroot? To: debian-user@lists.debian.org Date: Saturday, August 1, 2009, 6:50 PM Hi I want to make an sftp server - Only an sftp server - Some users may log in by ssh (with openssh-server), some users can only use sftp - Important! - Chroot! Users using sftp must only see e.g.: their home directory, or better: a folder in it. - Under Debian Lenny Is there any good, secure solution? At least links to howtos? :S Thank You!
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
On Sat, 24 Jun 2006 23:00:07 +0200 Iñaki [EMAIL PROTECTED] wrote: El Sábado, 24 de Junio de 2006 22:26, volo escribió: entradas en syslog: --- localhost sshd[20210]: Accepted publickey for paco from 192.168.1.1 port 48427 ssh2 localhost sshd[20212]: subsystem request for sftp localhost rssh[20214]: setting log facility to LOG_USER localhost rssh[20214]: allowing sftp to all users localhost rssh[20214]: setting umask to 02 localhost rssh[20214]: line 53: configuring user paco localhost rssh[20214]: setting paco's umask to 02 localhost rssh[20214]: allowing sftp to user paco localhost rssh[20214]: chrooting paco to /home/jaula/ localhost rssh[20214]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 /usr/lib/sftp-server --- Perdona, lo olvidaba. ¿Me puedes decir si puedes hacer directamente un chroot en /home/jaula? Es decir, ¿puedes ejecutar con éxito: # chroot /home/jaula(como root) ? Gracias de nuevo. Gracias por el aviso del bug. Respecto al chroot de la jaula, no, no puedo hacer chroot /home/jaula. No tengo el bash dentro. signature.asc Description: PGP signature
No consigo hacer funcionar rssh para permitir sftp con chroot
No es la primera vez que me peleo con rssh para permitir a un usuario rssh_user acceder sólo por sftp o scp a mi ordenador y tenerle enjaulado en su home. Describo la configuración que tengo: # cat /etc/rssh.conf - logfacility = LOG_USER allowscp allowsftp umask = 022 chrootpath = /home/jaula #Permitimos scp y sftp: user=rssh_user:022:00011:/home/jaula - # cat /etc/passwd | grep rssh_user - rssh_user:x:1002:1002:,,,:/home/jaula/home/rssh_user:/usr/bin/rssh - He creado el directorio /home/jaula y he copiado en él todas las dependencias de los comandos scp, rssh, rssh_chroot_helper y sftp-server (las he averiguado haciendo ldd) además de crear los directorios necesarios para el chroot: # ls -R /home/jaula - /home/jaula: home lib usr /home/jaula/home: rssh_user /home/jaula/home/rssh_user: /home/jaula/lib: libcom_err.so.2 libselinux.so.1 libsepol.so.1 tls /home/jaula/lib/tls: libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 libutil.so.1 /home/jaula/usr: bin lib /home/jaula/usr/bin: rssh scp /home/jaula/usr/lib: i686 libgssapi_krb5.so.2 libkrb5.so.3 libkrb5support.so.0 libz.so.1 rssh sftp-server /home/jaula/usr/lib/i686: cmov /home/jaula/usr/lib/i686/cmov: libcrypto.so.0.9.8 /home/jaula/usr/lib/rssh: rssh_chroot_helper - Entonces si entro por SSH me dice lo siguiente (que a todas luces parece correcto): # ssh [EMAIL PROTECTED] - This account is restricted by rssh. Allowed commands: scp sftp If you believe this is in error, please contact your system administrator. Connection to 127.0.0.1 closed. - Pero se supone que me tendría que dejar entrar por SFTP, y sin embargo me dice: # sftp [EMAIL PROTECTED] - Connecting to 127.0.0.1... Password: Connection closed - Los logs dicen: # tail -f /var/log/syslog - Jun 24 19:19:19 aliax rssh[13693]: setting log facility to LOG_USER Jun 24 19:19:19 aliax rssh[13693]: allowing scp to all users Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to all users Jun 24 19:19:19 aliax rssh[13693]: setting umask to 022 Jun 24 19:19:19 aliax rssh[13693]: chrooting all users to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: line 53: configuring user rssh_user Jun 24 19:19:19 aliax rssh[13693]: setting rssh_user's umask to 022 Jun 24 19:19:19 aliax rssh[13693]: allowing scp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: chrooting rssh_user to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 /usr/lib/openssh/sftp-server - # tail -f /var/log/auth - Jun 24 19:19:19 aliax sshd[13670]: Accepted keyboard-interactive/pam for rssh_user from 127.0.0.1 port 40996 ssh2 Jun 24 19:19:19 aliax sshd[13692]: (pam_unix) session opened for user rssh_user by (uid=0) Jun 24 19:19:19 aliax sshd[13692]: subsystem request for sftp Jun 24 19:19:19 aliax sshd[13692]: (pam_unix) session closed for user rssh_user - ¿Alguien sabe qué hago mal? Gracias de antemano. -- Por el bien de todos respetemos las normas de la lista: http://wiki.debian.org/NormasLista
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
El Sábado, 24 de Junio de 2006 19:26, Iñaki escribió: No es la primera vez que me peleo con rssh para permitir a un usuario rssh_user acceder sólo por sftp o scp a mi ordenador y tenerle enjaulado en su home. Me acabo de dar cuenta de que ni siquiera puedo hacer un chroot en el direectorio /home/jaula, y eso que por si fuese necesario he copiado también /bin/bash y sus dependencias (extraidas de ldd) al directorio jaula. Es decir: # chroot /home/jaula chroot: cannot run command `/bin/bash': No such file or directory En la web de RSSH: http://www.pizzashack.org/rssh/faq.shtml#6 he encontrado lo siguiente: Q: When I connect to an account configured to use a chroot jail, I just get a Connection closed message. Why? A: The problem is that you have not set up your chroot jail properly... Something is missing. As I've said numerous times throughout the documentation, setting up a chroot jail is very system dependent, so if you've read the CHROOT file carefully and followed the directions there carefully, and it still doesn't work, then I almost certainly can't help you. But then, if you had done all that, you wouldn't need to be looking here... Note that if you are using rssh with Solaris 9, FreeBSD, AIX 5.2, or probably other operating systems, you will need to copy your system shell into the chroot jail, because wordexp() uses it to expand command-line arguments on those platforms. See the CHROOT file for more details. There is a script called mkchroot.sh included with the source and the RPM packages. For most Linux users this should do the job, though it may need some small modifications for paths of some files. However it seems that on recent Linux distros, the script is missing something important, and I haven't yet figured out what that is... If you are able to identify it, please post to the mailing list to let me (and everyone else) know. If you run into this problem, and can't figure out what is missing, I've found that copying all of /lib into the jail seems to fix it. Not an ideal solution, but it works. Tras leer el último párrafo he probao lo que dice, es decir, he copiado todo /lib (27MB) en /home/jaula/lib y ahora resulta que sí que puedo hacer chroot (que es precisamente lo que comenta el tipo de arriba): # chroot /home/jaula bash-3.00# ... Claro, la gracia sería saber qué librería(s) es exactamente la que faltaba para no hacer la chapuza de tener que copiarlas todas. Pero aun así no me funciona el tema de entrar por SFTP con el usuario rssh_user. Me sale exactamente lo mismo que al princiipio (comentado los logs y todo en el correo inicial). En fin, que ya decía que no es la primera vez que lo intento y siempre me quedo por aquí. Saludos. -- Por el bien de todos respetemos las normas de la lista: http://wiki.debian.org/NormasLista
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
On Sat, Jun 24, 2006 at 08:02:47PM +0200, I?aki wrote: El S?bado, 24 de Junio de 2006 19:26, I?aki escribi?: No es la primera vez que me peleo con rssh para permitir a un usuario rssh_user acceder s?lo por sftp o scp a mi ordenador y tenerle enjaulado en su home. Me acabo de dar cuenta de que ni siquiera puedo hacer un chroot en el direectorio /home/jaula, y eso que por si fuese necesario he copiado tambi?n /bin/bash y sus dependencias (extraidas de ldd) al directorio jaula. ... Tras leer el ?ltimo p?rrafo he probao lo que dice, es decir, he copiado todo /lib (27MB) en /home/jaula/lib y ahora resulta que s? que puedo hacer chroot (que es precisamente lo que comenta el tipo de arriba): # chroot /home/jaula bash-3.00# ... Claro, la gracia ser?a saber qu? librer?a(s) es exactamente la que faltaba para no hacer la chapuza de tener que copiarlas todas. A lo mejor: Haz ldd de los programas que necesites. Copia esas bibliotecas. Y luego haz ldd de esas bibliotecas. Y siguete, recursivamente. A lo mejor te sirve guiarte usando las dependencias de los paquetes de los archivos que copies. -- Rodrigo Gallardo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
Yo lo utilizo solamente con sftp, sin scp. Este es el ls -R de mi jaula por si te sirve (al menos sftp deberías poder hacer, a mi me va perfecto) --- /home/jaula/lib/: ld-linux.so.2 libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 libutil.so.1 libz.so.1 /home/jaula/usr/: bin lib /home/jaula/usr/bin: rssh /home/jaula/usr/lib: libcrypto.so.0.9.7 libz.so.1 rssh rssh_chroot_helper sftp-server --- y las home de los usuarios /home/jaula/user1 /home/jaula/user2 ... Asegúrate que rssh_user tiene permisos rx en /home/jaula y que la partición donde tengas /home no tiene la opción noexec en fstab Suerte On Sat, 24 Jun 2006 19:26:36 +0200 Iñaki [EMAIL PROTECTED] wrote: No es la primera vez que me peleo con rssh para permitir a un usuario rssh_user acceder sólo por sftp o scp a mi ordenador y tenerle enjaulado en su home. Describo la configuración que tengo: # cat /etc/rssh.conf - logfacility = LOG_USER allowscp allowsftp umask = 022 chrootpath = /home/jaula #Permitimos scp y sftp: user=rssh_user:022:00011:/home/jaula - # cat /etc/passwd | grep rssh_user - rssh_user:x:1002:1002:,,,:/home/jaula/home/rssh_user:/usr/bin/rssh - He creado el directorio /home/jaula y he copiado en él todas las dependencias de los comandos scp, rssh, rssh_chroot_helper y sftp-server (las he averiguado haciendo ldd) además de crear los directorios necesarios para el chroot: # ls -R /home/jaula - /home/jaula: home lib usr /home/jaula/home: rssh_user /home/jaula/home/rssh_user: /home/jaula/lib: libcom_err.so.2 libselinux.so.1 libsepol.so.1 tls /home/jaula/lib/tls: libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 libutil.so.1 /home/jaula/usr: bin lib /home/jaula/usr/bin: rssh scp /home/jaula/usr/lib: i686 libgssapi_krb5.so.2 libkrb5.so.3 libkrb5support.so.0 libz.so.1 rssh sftp-server /home/jaula/usr/lib/i686: cmov /home/jaula/usr/lib/i686/cmov: libcrypto.so.0.9.8 /home/jaula/usr/lib/rssh: rssh_chroot_helper - Entonces si entro por SSH me dice lo siguiente (que a todas luces parece correcto): # ssh [EMAIL PROTECTED] - This account is restricted by rssh. Allowed commands: scp sftp If you believe this is in error, please contact your system administrator. Connection to 127.0.0.1 closed. - Pero se supone que me tendría que dejar entrar por SFTP, y sin embargo me dice: # sftp [EMAIL PROTECTED] - Connecting to 127.0.0.1... Password: Connection closed - Los logs dicen: # tail -f /var/log/syslog - Jun 24 19:19:19 aliax rssh[13693]: setting log facility to LOG_USER Jun 24 19:19:19 aliax rssh[13693]: allowing scp to all users Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to all users Jun 24 19:19:19 aliax rssh[13693]: setting umask to 022 Jun 24 19:19:19 aliax rssh[13693]: chrooting all users to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: line 53: configuring user rssh_user Jun 24 19:19:19 aliax rssh[13693]: setting rssh_user's umask to 022 Jun 24 19:19:19 aliax rssh[13693]: allowing scp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: chrooting rssh_user to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 /usr/lib/openssh/sftp-server - # tail -f /var/log/auth - Jun 24 19:19:19 aliax sshd[13670]: Accepted keyboard-interactive/pam for rssh_user from 127.0.0.1 port 40996 ssh2 Jun 24 19:19:19 aliax sshd[13692]: (pam_unix) session opened for user rssh_user by (uid=0) Jun 24 19:19:19 aliax sshd[13692]: subsystem request for sftp Jun 24 19:19:19 aliax sshd[13692]: (pam_unix) session closed for user rssh_user
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
El Sábado, 24 de Junio de 2006 21:03, Luis Rodrigo Gallardo Cruz escribió: On Sat, Jun 24, 2006 at 08:02:47PM +0200, I?aki wrote: El S?bado, 24 de Junio de 2006 19:26, I?aki escribi?: No es la primera vez que me peleo con rssh para permitir a un usuario rssh_user acceder s?lo por sftp o scp a mi ordenador y tenerle enjaulado en su home. Me acabo de dar cuenta de que ni siquiera puedo hacer un chroot en el direectorio /home/jaula, y eso que por si fuese necesario he copiado tambi?n /bin/bash y sus dependencias (extraidas de ldd) al directorio jaula. ... Tras leer el ?ltimo p?rrafo he probao lo que dice, es decir, he copiado todo /lib (27MB) en /home/jaula/lib y ahora resulta que s? que puedo hacer chroot (que es precisamente lo que comenta el tipo de arriba): # chroot /home/jaula - --- bash-3.00# ... - --- Claro, la gracia ser?a saber qu? librer?a(s) es exactamente la que faltaba para no hacer la chapuza de tener que copiarlas todas. A lo mejor: Haz ldd de los programas que necesites. Copia esas bibliotecas. Y luego haz ldd de esas bibliotecas. Y siguete, recursivamente. Si es que eso ya lo he hecho, de hecho puedo hacer un chroot, pero no me funciona con rssh. Gracias. -- Por el bien de todos respetemos las normas de la lista: http://wiki.debian.org/NormasLista
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
El Sábado, 24 de Junio de 2006 21:04, volo escribió: Yo lo utilizo solamente con sftp, sin scp. Este es el ls -R de mi jaula por si te sirve (al menos sftp deberías poder hacer, a mi me va perfecto) --- /home/jaula/lib/: ld-linux.so.2 libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 libutil.so.1 libz.so.1 /home/jaula/usr/: bin lib /home/jaula/usr/bin: rssh /home/jaula/usr/lib: libcrypto.so.0.9.7 libz.so.1 rssh rssh_chroot_helper sftp-server --- y las home de los usuarios /home/jaula/user1 /home/jaula/user2 ... Asegúrate que rssh_user tiene permisos rx en /home/jaula y que la partición donde tengas /home no tiene la opción noexec en fstab Suerte He comprobado todo y no me funciona. ¿Qué versión tienes de Debian y de rssh? ¿Te importa pegarme la salida de los siguientes comandos? # sftp [EMAIL PROTECTED] y mientras: # tail -f /var/log/syslog y # tail -f /var/log/auth Muchas gracias por tu ayuda. On Sat, 24 Jun 2006 19:26:36 +0200 Iñaki [EMAIL PROTECTED] wrote: No es la primera vez que me peleo con rssh para permitir a un usuario rssh_user acceder sólo por sftp o scp a mi ordenador y tenerle enjaulado en su home. Describo la configuración que tengo: # cat /etc/rssh.conf - logfacility = LOG_USER allowscp allowsftp umask = 022 chrootpath = /home/jaula #Permitimos scp y sftp: user=rssh_user:022:00011:/home/jaula - # cat /etc/passwd | grep rssh_user - rssh_user:x:1002:1002:,,,:/home/jaula/home/rssh_user:/usr/bin/rssh - He creado el directorio /home/jaula y he copiado en él todas las dependencias de los comandos scp, rssh, rssh_chroot_helper y sftp-server (las he averiguado haciendo ldd) además de crear los directorios necesarios para el chroot: # ls -R /home/jaula - /home/jaula: home lib usr /home/jaula/home: rssh_user /home/jaula/home/rssh_user: /home/jaula/lib: libcom_err.so.2 libselinux.so.1 libsepol.so.1 tls /home/jaula/lib/tls: libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 libutil.so.1 /home/jaula/usr: bin lib /home/jaula/usr/bin: rssh scp /home/jaula/usr/lib: i686 libgssapi_krb5.so.2 libkrb5.so.3 libkrb5support.so.0 libz.so.1 rssh sftp-server /home/jaula/usr/lib/i686: cmov /home/jaula/usr/lib/i686/cmov: libcrypto.so.0.9.8 /home/jaula/usr/lib/rssh: rssh_chroot_helper - Entonces si entro por SSH me dice lo siguiente (que a todas luces parece correcto): # ssh [EMAIL PROTECTED] - This account is restricted by rssh. Allowed commands: scp sftp If you believe this is in error, please contact your system administrator. Connection to 127.0.0.1 closed. - Pero se supone que me tendría que dejar entrar por SFTP, y sin embargo me dice: # sftp [EMAIL PROTECTED] - Connecting to 127.0.0.1... Password: Connection closed - Los logs dicen: # tail -f /var/log/syslog - Jun 24 19:19:19 aliax rssh[13693]: setting log facility to LOG_USER Jun 24 19:19:19 aliax rssh[13693]: allowing scp to all users Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to all users Jun 24 19:19:19 aliax rssh[13693]: setting umask to 022 Jun 24 19:19:19 aliax rssh[13693]: chrooting all users to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: line 53: configuring user rssh_user Jun 24 19:19:19 aliax rssh[13693]: setting rssh_user's umask to 022 Jun 24 19:19:19 aliax rssh[13693]: allowing scp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: chrooting rssh_user to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 /usr/lib/openssh/sftp-server - # tail -f /var/log/auth
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
On Sat, 24 Jun 2006 21:29:07 +0200 Iñaki [EMAIL PROTECTED] wrote: El Sábado, 24 de Junio de 2006 21:04, volo escribió: Yo lo utilizo solamente con sftp, sin scp. Este es el ls -R de mi jaula por si te sirve (al menos sftp deberías poder hacer, a mi me va perfecto) --- /home/jaula/lib/: ld-linux.so.2 libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 libutil.so.1 libz.so.1 /home/jaula/usr/: bin lib /home/jaula/usr/bin: rssh /home/jaula/usr/lib: libcrypto.so.0.9.7 libz.so.1 rssh rssh_chroot_helper sftp-server --- y las home de los usuarios /home/jaula/user1 /home/jaula/user2 ... Asegúrate que rssh_user tiene permisos rx en /home/jaula y que la partición donde tengas /home no tiene la opción noexec en fstab Suerte He comprobado todo y no me funciona. ¿Qué versión tienes de Debian y de rssh? ¿Te importa pegarme la salida de los siguientes comandos? # sftp [EMAIL PROTECTED] y mientras: # tail -f /var/log/syslog y # tail -f /var/log/auth Muchas gracias por tu ayuda. On Sat, 24 Jun 2006 19:26:36 +0200 Iñaki [EMAIL PROTECTED] wrote: No es la primera vez que me peleo con rssh para permitir a un usuario rssh_user acceder sólo por sftp o scp a mi ordenador y tenerle enjaulado en su home. Describo la configuración que tengo: # cat /etc/rssh.conf - logfacility = LOG_USER allowscp allowsftp umask = 022 chrootpath = /home/jaula #Permitimos scp y sftp: user=rssh_user:022:00011:/home/jaula - # cat /etc/passwd | grep rssh_user - rssh_user:x:1002:1002:,,,:/home/jaula/home/rssh_user:/usr/bin/rssh - He creado el directorio /home/jaula y he copiado en él todas las dependencias de los comandos scp, rssh, rssh_chroot_helper y sftp-server (las he averiguado haciendo ldd) además de crear los directorios necesarios para el chroot: # ls -R /home/jaula - /home/jaula: home lib usr /home/jaula/home: rssh_user /home/jaula/home/rssh_user: /home/jaula/lib: libcom_err.so.2 libselinux.so.1 libsepol.so.1 tls /home/jaula/lib/tls: libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 libutil.so.1 /home/jaula/usr: bin lib /home/jaula/usr/bin: rssh scp /home/jaula/usr/lib: i686 libgssapi_krb5.so.2 libkrb5.so.3 libkrb5support.so.0 libz.so.1 rssh sftp-server /home/jaula/usr/lib/i686: cmov /home/jaula/usr/lib/i686/cmov: libcrypto.so.0.9.8 /home/jaula/usr/lib/rssh: rssh_chroot_helper - Entonces si entro por SSH me dice lo siguiente (que a todas luces parece correcto): # ssh [EMAIL PROTECTED] - This account is restricted by rssh. Allowed commands: scp sftp If you believe this is in error, please contact your system administrator. Connection to 127.0.0.1 closed. - Pero se supone que me tendría que dejar entrar por SFTP, y sin embargo me dice: # sftp [EMAIL PROTECTED] - Connecting to 127.0.0.1... Password: Connection closed - Los logs dicen: # tail -f /var/log/syslog - Jun 24 19:19:19 aliax rssh[13693]: setting log facility to LOG_USER Jun 24 19:19:19 aliax rssh[13693]: allowing scp to all users Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to all users Jun 24 19:19:19 aliax rssh[13693]: setting umask to 022 Jun 24 19:19:19 aliax rssh[13693]: chrooting all users to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: line 53: configuring user rssh_user Jun 24 19:19:19 aliax rssh[13693]: setting rssh_user's umask to 022 Jun 24 19:19:19 aliax rssh[13693]: allowing scp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to user rssh_user Jun 24 19:19:19 aliax rssh[13693]: chrooting rssh_user to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: chroot cmd
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
El Sábado, 24 de Junio de 2006 22:26, volo escribió:
On Sat, 24 Jun 2006 21:29:07 +0200
Iñaki [EMAIL PROTECTED] wrote:
El Sábado, 24 de Junio de 2006 21:04, volo escribió:
Yo lo utilizo solamente con sftp, sin scp.
Este es el ls -R de mi jaula por si te sirve
(al menos sftp deberías poder hacer, a mi me va perfecto)
---
/home/jaula/lib/:
ld-linux.so.2 libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1
libresolv.so.2 libutil.so.1 libz.so.1
/home/jaula/usr/:
bin lib
/home/jaula/usr/bin:
rssh
/home/jaula/usr/lib:
libcrypto.so.0.9.7 libz.so.1 rssh rssh_chroot_helper sftp-server
---
y las home de los usuarios
/home/jaula/user1
/home/jaula/user2 ...
Asegúrate que rssh_user tiene permisos rx en /home/jaula
y que la partición donde tengas /home no tiene la opción noexec en
fstab
Suerte
He comprobado todo y no me funciona.
¿Qué versión tienes de Debian y de rssh?
¿Te importa pegarme la salida de los siguientes comandos?
# sftp [EMAIL PROTECTED]
y mientras:
# tail -f /var/log/syslog
y
# tail -f /var/log/auth
Muchas gracias por tu ayuda.
On Sat, 24 Jun 2006 19:26:36 +0200
Iñaki [EMAIL PROTECTED] wrote:
No es la primera vez que me peleo con rssh para permitir a un
usuario rssh_user acceder sólo por sftp o scp a mi ordenador y
tenerle enjaulado en su home.
Describo la configuración que tengo:
# cat /etc/rssh.conf
-
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath = /home/jaula
#Permitimos scp y sftp:
user=rssh_user:022:00011:/home/jaula
-
# cat /etc/passwd | grep rssh_user
-
rssh_user:x:1002:1002:,,,:/home/jaula/home/rssh_user:/usr/bin/rssh
-
He creado el directorio /home/jaula y he copiado en él todas las
dependencias de los comandos scp, rssh, rssh_chroot_helper y
sftp-server (las he averiguado haciendo ldd) además de crear los
directorios necesarios para el chroot:
# ls -R /home/jaula
-
/home/jaula:
home lib usr
/home/jaula/home:
rssh_user
/home/jaula/home/rssh_user:
/home/jaula/lib:
libcom_err.so.2 libselinux.so.1 libsepol.so.1 tls
/home/jaula/lib/tls:
libcrypt.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2
libutil.so.1
/home/jaula/usr:
bin lib
/home/jaula/usr/bin:
rssh scp
/home/jaula/usr/lib:
i686 libgssapi_krb5.so.2 libkrb5.so.3 libkrb5support.so.0
libz.so.1 rssh sftp-server
/home/jaula/usr/lib/i686:
cmov
/home/jaula/usr/lib/i686/cmov:
libcrypto.so.0.9.8
/home/jaula/usr/lib/rssh:
rssh_chroot_helper
-
Entonces si entro por SSH me dice lo siguiente (que a todas luces
parece correcto):
# ssh [EMAIL PROTECTED]
-
This account is restricted by rssh.
Allowed commands: scp sftp
If you believe this is in error, please contact your system
administrator.
Connection to 127.0.0.1 closed.
-
Pero se supone que me tendría que dejar entrar por SFTP, y sin
embargo me dice:
# sftp [EMAIL PROTECTED]
-
Connecting to 127.0.0.1...
Password:
Connection closed
-
Los logs dicen:
# tail -f /var/log/syslog
-
Jun 24 19:19:19 aliax rssh[13693]: setting log
facility
to LOG_USER Jun 24 19:19:19 aliax rssh[13693]: allowing scp to
all users Jun 24 19:19:19 aliax rssh[13693]: allowing sftp to all
users Jun 24 19:19:19 aliax rssh[13693]: setting umask to 022
Jun 24 19:19:19 aliax rssh[13693]: chrooting all users
to /home/jaula Jun 24 19:19:19 aliax rssh[13693]: line 53:
configuring user rssh_user Jun 24 19:19:19 aliax rssh[13693]:
setting rssh_user's umask to 022 Jun 24 19:19:19 aliax
rssh[13693]:
Re: No consigo hacer funcionar rssh para permitir sftp con chroot
El Sábado, 24 de Junio de 2006 22:26, volo escribió: entradas en syslog: --- localhost sshd[20210]: Accepted publickey for paco from 192.168.1.1 port 48427 ssh2 localhost sshd[20212]: subsystem request for sftp localhost rssh[20214]: setting log facility to LOG_USER localhost rssh[20214]: allowing sftp to all users localhost rssh[20214]: setting umask to 02 localhost rssh[20214]: line 53: configuring user paco localhost rssh[20214]: setting paco's umask to 02 localhost rssh[20214]: allowing sftp to user paco localhost rssh[20214]: chrooting paco to /home/jaula/ localhost rssh[20214]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 /usr/lib/sftp-server --- Perdona, lo olvidaba. ¿Me puedes decir si puedes hacer directamente un chroot en /home/jaula? Es decir, ¿puedes ejecutar con éxito: # chroot /home/jaula(como root) ? Gracias de nuevo. -- Por el bien de todos respetemos las normas de la lista: http://wiki.debian.org/NormasLista
sftp et chroot
Bonjour Je voudrais permettre un transfert ftp par ssh..en fait un sftple seul soucis, cest quil faudrait que cet utilisateur soit bloqué dans son home directoryJe sais quil existe openssh avec chroot mais le problème cest que je ne veux pas recompiler mon openssh (le serveur étant distant et je ne pourrais pas intervenir dessus si jai un problème) IL me faudrait donc une solution alternative à chroot mais qui utilise le même port (évidemment je ne peux pas utiliser autre chose que le port ssh) et qui ne me demande pas une recompilation de openssh Est-ce que kk1 à une idée? Merci davance a vous Xavier �
Re: sftp et chroot
xavier brige a écrit : Bonjour Je voudrais permettre un transfert ftp par ssh..en fait un sftp…le seul soucis, c’est qu’il faudrait que cet utilisateur soit bloqué dansson home directory…Je sais qu’il existe openssh avec chroot mais le problème c’est que je ne veux pas recompiler mon openssh (le serveur étant distant et je ne pourrais pas intervenir dessus si j’ai un problème) IL me faudrait donc une solution alternative à chroot mais qui utilise le même port (évidemment je ne peux pas utiliser autre chose que leport ssh) et qui ne me demande pas une recompilation de openssh Est-ce que kk1 à une idée ? Remplacer le shell par défaut par un shell particulier avec un chroot. Je sais que c'est possible (j'avais lu un truc là-dessus) mais je me rappelle plus comment. Désolé de pas aider davantage. Daniel Merci d’avance a vous Xavier
Re: sftp et chroot
Ca peut peut-être t'aider : http://www.tjw.org/chroot-login-HOWTO/ Daniel C a écrit : xavier brige a écrit : Bonjour Je voudrais permettre un transfert ftp par ssh..en fait un sftp…le seul soucis, c’est qu’il faudrait que cet utilisateur soit bloqué dansson home directory…Je sais qu’il existe openssh avec chroot mais le problème c’est que je ne veux pas recompiler mon openssh (le serveur étant distant et je ne pourrais pas intervenir dessus si j’ai un problème) IL me faudrait donc une solution alternative à chroot mais qui utilise le même port (évidemment je ne peux pas utiliser autre chose que leport ssh) et qui ne me demande pas une recompilation de openssh Est-ce que kk1 à une idée ? Remplacer le shell par défaut par un shell particulier avec un chroot. Je sais que c'est possible (j'avais lu un truc là-dessus) mais je me rappelle plus comment. Désolé de pas aider davantage. Daniel Merci d’avance a vous Xavier -- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Pensez à rajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
