Re: chroot sftp users
On Mon, Mar 1, 2010 at 5:27 PM, Glenn Cogle wrote: > My server is debian 3.1, openssh 3.8.1p1 & vsftpd 2.0.3 - not exactly > cutting edge, but it works. > > (4) build a new server with later OS + ssh Well, a Debian 3.1 server is very old. Debian have just dropped security support for 4. I'd recommend an upgrade on general principals. Also, do your file-transferring users have to be real system users in any other sense? If the only reason they have a 'home' directory is to transfer files into, that's a lot you don't have to worry about. Gove them rssh and restrict them to sftp ... passwd: username:x:1005:33:SFTP access to username:/SFTP-CHROOTusername:/usr/bin/rssh Files: drwxr-xr-x 2 root root 4096 2006-10-28 03:39 etc drwxr-xr-x 4 username root 4096 2006-11-06 09:22 website drwxr-xr-x 2 root root 4096 2006-11-06 09:12 lib drwxr-xr-x 4 root root 4096 2006-11-06 08:19 usr $ tree etc lib usr etc `-- passwd lib |-- ld-2.3.6.so |-- ld-linux.so.2 -> ld-2.3.6.so |-- libc-2.3.6.so |-- libc.so.6 -> libc-2.3.6.so |-- libcom_err.so.2 -> libcom_err.so.2.1 |-- libcom_err.so.2.1 |-- libcrypt-2.3.6.so |-- libcrypt.so.1 -> libcrypt-2.3.6.so |-- libdl-2.3.6.so |-- libdl.so.2 -> libdl-2.3.6.so |-- libnsl-2.3.6.so |-- libnsl.so.1 -> libnsl-2.3.6.so |-- libresolv-2.3.6.so |-- libresolv.so.2 -> libresolv-2.3.6.so |-- libselinux.so.1 |-- libsepol.so.1 |-- libutil-2.3.6.so `-- libutil.so.1 -> libutil-2.3.6.so usr |-- bin | `-- rssh `-- lib |-- i686 | `-- cmov | `-- libcrypto.so.0.9.8 |-- libgssapi_krb5.so.2 -> libgssapi_krb5.so.2.2 |-- libgssapi_krb5.so.2.2 |-- libk5crypto.so.3 -> libk5crypto.so.3.0 |-- libk5crypto.so.3.0 |-- libkrb5.so.3 -> libkrb5.so.3.2 |-- libkrb5.so.3.2 |-- libkrb5support.so.0 -> libkrb5support.so.0.0 |-- libkrb5support.so.0.0 |-- libz.so.1 -> libz.so.1.2.3 |-- libz.so.1.2.3 |-- openssh | `-- sftp-server |-- rssh | `-- rssh_chroot_helper `-- sftp-server -> openssh/sftp-server You could hardlink the usr and lib directories from an sftp-chroot template, then just give each user a unique etc/passwd and you're on your way ... -jim
Re: chroot sftp users
On Mon, 2010-03-01 at 17:27 +1300, Glenn Cogle wrote: > I want to chroot my sftp users to their respective home directories, > but apparently this isn't the default behaviour. > > My server is debian 3.1, openssh 3.8.1p1 & vsftpd 2.0.3 - not exactly > cutting edge, but it works. > > Apparently (much) later implemetations of OpenSSH (v4.9+) include > facilities for chrooting sftp & ssh users. > > I suppose my choices are > > (1) hack existing ssh > (2) devise some workaround - perhaps using permissions > (3) upgrade ssh, and probably the OS as requirements dictate > (4) build a new server with later OS + ssh > (5) something else I havn't thought of yet > > Interested in comments from those who have been here... > > GC Having been there very recently ( I now have chrooted sftp access working for virtualmin ), I recommend just compiling up the latest openssh from source, and using the internal sftp server. I run the original on a non-standard port, and the latest on port 22, which is quite easy, as the config files are in a dfferent place if you use defaults. It is a bit of a PITA, as the root directory have to be owned by root, permissions 755, which means that everything has to be located in (pre-created) subdirectories, which means some work to /etc/skel. However, once up and running it's something you can just forget. I would also recommend updating, as etch ( 4.0 ) was end of lifed a week ago! hth, Steve -- Steve Holdoway http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 signature.asc Description: This is a digitally signed message part
chroot sftp users
I want to chroot my sftp users to their respective home directories, but apparently this isn't the default behaviour. My server is debian 3.1, openssh 3.8.1p1 & vsftpd 2.0.3 - not exactly cutting edge, but it works. Apparently (much) later implemetations of OpenSSH (v4.9+) include facilities for chrooting sftp & ssh users. I suppose my choices are (1) hack existing ssh (2) devise some workaround - perhaps using permissions (3) upgrade ssh, and probably the OS as requirements dictate (4) build a new server with later OS + ssh (5) something else I havn't thought of yet Interested in comments from those who have been here... GC
Re: Filesystem and replacing .. The final word??
Craig Falconer wrote: Aidan Gauland wrote, On 26/02/10 21:41: I'm glad to see the labs have Emacs 23 this year. I love Emacs. Dunno why - vi is everywhere, emacs isn't. Even if you hate it, you still have to know how to use it. And this year we have both versions... xemacs wouldn't work last year but someone has fixed it to work again (not a lot of maintenance being done on it) (vi works all the time :-) ) Pete -- --- Peter Glassenbury Computer Science department p...@cosc.canterbury.ac.nz University of Canterbury +64 3 3642987 ext 7762 New Zealand
Re: Tip'o'the Day: Don't name anything "core"!
On 1 March 2010 11:48, John Carter wrote: > Moral of the story. Avoid the name "core" for anything other than core > dumps. And there I was thinking the moral would be to do with using CVS ;)
REMINDER: Christchurch NZPUG Meetup This Friday
Hi all, Just a reminder that we've got the following event this Friday. Again we ask that you send an email to meeting-christchurch AT nzpug dot org so we have an idea of those who are coming along. **Again we'll order some pizzas so please bring along some money to contribute to this (usually works out at about $7-8 each)** Details are as follows: Date: 5 March 2010 Time: 5:30-7:30pm URL: http://nzpug.org/MeetingsChristchurch/Mar2010 Talks: * DarrylCousins: "Demo: Building a web application using repoze.bfg" Look forward to seeing you all there! Kind regards, Tim
Tip'o'the Day: Don't name anything "core"!
So Friday was a trifle frustrating... Somehow things didn't work out quite right and I seem to have lost a bunch of work... So monday morning was spent working out what went wrong... Aha! I was working with the Light Weight IP stack which has all it's "core" functionality in a directory called "core". But since year yonks Unix whenever a program crashes it does a core dump into a file called "core" in the current working directory. So CVS (and several other tools) have been well training to ignore anything called "core". Sigh! So when I tried to add my changes to the my CVS repository it didn't add the "core" directory so I lost all changes there. Moral of the story. Avoid the name "core" for anything other than core dumps. John Carter Phone : (64)(3) 358 6639 Tait ElectronicsFax : (64)(3) 359 4632 PO Box 1645 ChristchurchEmail : john.car...@tait.co.nz New Zealand
Re: Filesystem and replacing .. The final word??
On Mon, 2010-03-01 at 09:22 +1300, Craig Falconer wrote: > Aidan Gauland wrote, On 26/02/10 21:41: > > I'm glad to see the labs have Emacs 23 this year. I love Emacs. > > Dunno why - vi is everywhere, emacs isn't. > Even if you hate it, you still have to know how to use it. > > All I know is -x -c and that's plenty! Steve -- Steve Holdoway http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 signature.asc Description: This is a digitally signed message part
Re: Next CLUG Social Gathering.
On Fri, 2010-02-19 at 20:04 +1300, Steve Holdoway wrote: > On Fri, 2010-02-19 at 19:52 +1300, Christopher Sawtell wrote: > [snip] > > I have an old IBM penguin that I'll try to get into the mix... > > Cheers, Steve > OK, Chris is now the official owner of my IBM stress Tux. Hopefully to be seen at a Twisted Hop near you in the not too distant future... Steve -- Steve Holdoway http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 signature.asc Description: This is a digitally signed message part
Re: Filesystem and replacing .. The final word??
Aidan Gauland wrote, On 26/02/10 21:41: I'm glad to see the labs have Emacs 23 this year. I love Emacs. Dunno why - vi is everywhere, emacs isn't. Even if you hate it, you still have to know how to use it. -- CF
