in current: chrootdirectory in ssh (cannot stat /usr/libexec/sftp-server)
Hello, (running current with OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012) I'm trying to setup chrootdirectory in sshd_config as a test configuration without success. Here is a snip from my sshd_config #(this is the default line) Subsystem sftp/usr/libexec/sftp-server #added the following match block Match Group remote-sync, Address 127.0.0.1 ChrootDirectory /home/chroot/%u ForceCommand internal-sftp -f LOCAL0 -l INFO AllowAgentForwarding no AllowTcpForwarding no GatewayPorts no X11Forwarding no --- The home directory /home/chroot/sync is owned by root:wheel. When I try to connect I get the following error: cannot stat /usr/libexec/sftp-server: No such file or directory What do I miss? What is wrong with my test config? Thanks for any input!!! Didier See the entire output here: $ sudo /usr/sbin/sshd -D -d -p -f /etc/ssh/sshd_config debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-d' debug1: rexec_argv[3]='-p' debug1: rexec_argv[4]='' debug1: rexec_argv[5]='-f' debug1: rexec_argv[6]='/etc/ssh/sshd_ config' debug1: Bind to port on 0.0.0.0. Server listening on 0.0.0.0 port . debug1: Bind to port on ::. Server listening on :: port . debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 127.0.0.1 port 31875 debug1: Client protocol version 2.0; client software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: permanently_set_uid: 27/27 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client-server aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug1: kex: server-client aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user sync service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user sync matched group list remote-sync, at line 124 debug1: connection from 127.0.0.1 matched 'Address 127.0.0.1' at line 124 debug1: userauth_banner: sent [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af debug1: restore_uid: 0/0 Postponed publickey for sync from 127.0.0.1 port 31875 ssh2 [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 2 failures 0 [preauth] debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct Accepted publickey for sync from 127.0.0.1 port 31875 ssh2 debug1: monitor_child_preauth: sync has been authenticated by privileged process debug1: Enabling compression at level 6. [preauth] debug1: monitor_read_log: child log fd closed User child is on pid 2371 Changed root directory to /home/chroot/sync debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 1 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request subsystem reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request for sftp by user sync debug1: subsystem: cannot stat /usr/libexec/sftp-server: No such file
Re: in current: chrootdirectory in ssh (cannot stat /usr/libexec/sftp-server)
Didier Wiroth wrote: Hello, (running current with OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012) I'm trying to setup chrootdirectory in sshd_config as a test configuration without success. Here is a snip from my sshd_config #(this is the default line) Subsystem sftp/usr/libexec/sftp-server #added the following match block Match Group remote-sync, Address 127.0.0.1 ChrootDirectory /home/chroot/%u ForceCommand internal-sftp -f LOCAL0 -l INFO AllowAgentForwarding no AllowTcpForwarding no GatewayPorts no X11Forwarding no --- The home directory /home/chroot/sync is owned by root:wheel. When I try to connect I get the following error: cannot stat /usr/libexec/sftp-server: No such file or directory What do I miss? Don't know if you missed the obvious. AFAICS the server first chroots to your ChrootDirectory and then tries to find the sftp-server relative to this directory as this has become your new root. I doubt you have /home/chroot/%u/usr/libexec/sftp-server on your system, so it can't be found. What is wrong with my test config? I don't run configs like this but so I can only make an educated guess. Man sshd_config(5) talks about the in-process sftp-server called 'internal-sftp', that's probably what you're after. Thanks for any input!!! Didier See the entire output here: $ sudo /usr/sbin/sshd -D -d -p -f /etc/ssh/sshd_config debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-d' debug1: rexec_argv[3]='-p' debug1: rexec_argv[4]='' debug1: rexec_argv[5]='-f' debug1: rexec_argv[6]='/etc/ssh/sshd_ config' debug1: Bind to port on 0.0.0.0. Server listening on 0.0.0.0 port . debug1: Bind to port on ::. Server listening on :: port . debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 127.0.0.1 port 31875 debug1: Client protocol version 2.0; client software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: permanently_set_uid: 27/27 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client-server aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug1: kex: server-client aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user sync service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user sync matched group list remote-sync, at line 124 debug1: connection from 127.0.0.1 matched 'Address 127.0.0.1' at line 124 debug1: userauth_banner: sent [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af debug1: restore_uid: 0/0 Postponed publickey for sync from 127.0.0.1 port 31875 ssh2 [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 2 failures 0 [preauth] debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct Accepted publickey for sync from 127.0.0.1 port 31875 ssh2 debug1: monitor_child_preauth: sync has been authenticated by privileged process debug1: Enabling compression at level 6. [preauth] debug1: monitor_read_log: child log fd closed User child is on pid 2371 Changed root directory to /home/chroot/sync debug1: Entering interactive session for SSH2. debug1:
Re: in current: chrootdirectory in ssh (cannot stat /usr/libexec/sftp-server)
08.04.2013 11:13 полÑзоваÑÐµÐ»Ñ Didier Wiroth dwir...@gmail.com напиÑал: Hello, (running current with OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012) I'm trying to setup chrootdirectory in sshd_config as a test configuration without success. Here is a snip from my sshd_config #(this is the default line) Subsystem sftp/usr/libexec/sftp-server #added the following match block Match Group remote-sync, Address 127.0.0.1 ChrootDirectory /home/chroot/%u ForceCommand internal-sftp -f LOCAL0 -l INFO AllowAgentForwarding no AllowTcpForwarding no GatewayPorts no X11Forwarding no --- The home directory /home/chroot/sync is owned by root:wheel. When I try to connect I get the following error: cannot stat /usr/libexec/sftp-server: No such file or directory What do I miss? What is wrong with my test config? It's obvious that global configuration parameter is involved. That means that your Match rule doesn't work. Thanks for any input!!! Didier See the entire output here: $ sudo /usr/sbin/sshd -D -d -p -f /etc/ssh/sshd_config debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-d' debug1: rexec_argv[3]='-p' debug1: rexec_argv[4]='' debug1: rexec_argv[5]='-f' debug1: rexec_argv[6]='/etc/ssh/sshd_ config' debug1: Bind to port on 0.0.0.0. Server listening on 0.0.0.0 port . debug1: Bind to port on ::. Server listening on :: port . debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 127.0.0.1 port 31875 debug1: Client protocol version 2.0; client software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: permanently_set_uid: 27/27 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client-server aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug1: kex: server-client aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user sync service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user sync matched group list remote-sync, at line 124 debug1: connection from 127.0.0.1 matched 'Address 127.0.0.1' at line 124 debug1: userauth_banner: sent [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af debug1: restore_uid: 0/0 Postponed publickey for sync from 127.0.0.1 port 31875 ssh2 [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 2 failures 0 [preauth] debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct Accepted publickey for sync from 127.0.0.1 port 31875 ssh2 debug1: monitor_child_preauth: sync has been authenticated by privileged process debug1: Enabling compression at level 6. [preauth] debug1: monitor_read_log: child log fd closed User child is on pid 2371 Changed root directory to /home/chroot/sync debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 1 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1:
Re: in current: chrootdirectory in ssh (cannot stat /usr/libexec/sftp-server)
On Sun (07/04/13), Didier Wiroth wrote: Hello, Hey there (running current with OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012) I'm trying to setup chrootdirectory in sshd_config as a test configuration without success. Here is a snip from my sshd_config #(this is the default line) Subsystem sftp/usr/libexec/sftp-server You should change this line to: Subsystem sftp internal-sftp and it should work. -- Manolis Tzanidakis http://mtzanidakis.com/ mtzanidakis[at]gmail[dot]com
Re: in current: chrootdirectory in ssh (cannot stat /usr/libexec/sftp-server)
Thanks a lot for helping. I missed this line indeed. I now changed the subsystem to: Subsystem sftp internal-sftp If I comment out the chrootdirectory in the match block, I can instantly connect without problems. So I still must have forgotten something ... but i don't know what? In my chroot (/home/chroot/), I have /home/chroot/dev/log. I did not copy and binaries/libs into the chroot as it is NOT required (or I misunderstood the manual page): Quote from the sshd_config manual, ChrootDirectory section: For file transfer sessions using ``sftp'', no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details). Syslogd has the following flags in rc.conf.local: syslogd_flags=-a /home/chroot/dev/log Unfortunately it still doesn't work ... $ sftp -P sync@localhost Connection closed Here is the sshd output: debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 584 debug2: parse_server_config: config /etc/ssh/sshd_config len 584 debug3: /etc/ssh/sshd_config:39 setting PermitRootLogin no debug3: /etc/ssh/sshd_config:42 setting MaxAuthTries 3 debug3: /etc/ssh/sshd_config:50 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /etc/ssh/sshd_config:69 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:95 setting UsePrivilegeSeparation sandbox debug3: /etc/ssh/sshd_config:109 setting Banner /etc/ssh/banner debug3: /etc/ssh/sshd_config:113 setting Subsystem sftp internal-sftp debug3: /etc/ssh/sshd_config:115 setting AllowGroups ssh debug3: checking syntax for 'Match Address 192.168.178.0/24' debug3: checking syntax for 'Match Group remote-sync, Address 127.0.0.1' debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p' debug1: rexec_argv[2]='' debug1: rexec_argv[3]='-f' debug1: rexec_argv[4]='/etc/ssh/sshd_config' debug1: rexec_argv[5]='-D' debug1: rexec_argv[6]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port on 0.0.0.0. Server listening on 0.0.0.0 port . debug2: fd 4 setting O_NONBLOCK debug1: Bind to port on ::. Server listening on :: port . debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 584 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 127.0.0.1 port 46864 debug1: Client protocol version 2.0; client software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing systrace sandbox debug2: Network child is on pid 30531 debug3: ssh_sandbox_parent: wait for child 30531 debug3: ssh_sandbox_parent: child 30531 stopped debug3: ssh_sandbox_parent: systrace attach, fd=9 debug3: ssh_sandbox_parent: policy: enable syscall 1 debug3: ssh_sandbox_parent: policy: enable syscall 3 debug3: ssh_sandbox_parent: policy: enable syscall 4 debug3: ssh_sandbox_parent: policy: enable syscall 5 debug3: ssh_sandbox_parent: policy: enable syscall 6 debug3: ssh_sandbox_parent: policy: enable syscall 20 debug3: ssh_sandbox_parent: policy: enable syscall 48 debug3: ssh_sandbox_parent: policy: enable syscall 73 debug3: ssh_sandbox_parent: policy: enable syscall 74 debug3: ssh_sandbox_parent: policy: enable syscall 75 debug3: ssh_sandbox_parent: policy: enable syscall 93 debug3: ssh_sandbox_parent: policy: enable syscall 116 debug3: ssh_sandbox_parent: policy: enable syscall 197 debug3: ssh_sandbox_parent: policy: enable syscall 202 debug3: ssh_sandbox_parent: policy: enable syscall 252 debug3: ssh_sandbox_parent: policy: enable syscall 286 debug3: ssh_sandbox_parent: start child 30531 debug3: preauth child monitor started debug3: privsep user:group 27:27 [preauth] debug1: permanently_set_uid: 27/27 [preauth] debug3: ssh_sandbox_child: ready [preauth] debug3: ssh_sandbox_child: started [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: