On Thu, February 4, 2010 05:28, Radu Radutiu wrote:
> Just for the reference if you want to keep SELINUX enabled and
> create a new instance of sshd (with the stock CentOS 5.4 sshd)
> with sftp only you can do the following:
>
> -create a copy of /etc/ssh/sshd_config e.g.
> cp /etc/ssh/sshd_config
On Thu, February 4, 2010 12:00, Ned Slider wrote:
>
>
> I was under the impression that sshd runs unconfined in the current
> CentOS?
>
> $ ps axZ | grep sshd
> system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00
> /usr/sbin/sshd
>
> For example, you don't need to change the ssh_p
James B. Byrne wrote:
>
> I am not sure what effect disabling SELinux support in SSH actually
> has from a security standpoint. So, if anyone cares to enlighten me
> on the the consequences I would like to know.
>
I was under the impression that sshd runs unconfined in the current CentOS?
On Thu, February 4, 2010 10:08, Marc Wiatrowski wrote:
>
>>
>>
> Have you looked at using rssh as the users shell? You can limit the
> user to a chroot sftp only. Its not stock, but ssh can then be.
>
> http://dag.wieers.com/rpm/packages/rssh/
>
I looked at rssh briefly yesterday when someone su
Just for the reference if you want to keep SELINUX enabled and create
a new instance of sshd (with the stock CentOS 5.4 sshd) with sftp only
you can do the following:
-create a copy of /etc/ssh/sshd_config e.g.
cp /etc/ssh/sshd_config /etc/ssh/sftpd_config
-chage /add the following lines in sftpd
On Wed, February 3, 2010 12:02, Ned Slider wrote:
>
> What happens if you enable SELinux, i.e, set it to enforcing? Do you
> still see the same error message above?
>
I have rebuilt the thing without SELinux support and all seems to be
working now. Since, other than the sftp user, there are onl
On Wed, 2010-02-03 at 14:48 +, Ned Slider wrote:
> James B. Byrne wrote:
> > Note: I am digest subscriber so if you could copy me directly on any
> > reply to the list I would appreciate it very much.
> >
>
>
>
> > After a modest amount of research we decided that the
> > best answer was
James B. Byrne wrote:
>
> The new server software works fine for regular ssh/sftp users.
> However, when logging on as a member of the chroot group we obtain
> this error:
>
> ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
> security_getenforce() failed
>
>
> # sestatus
> SELinux sta
Instead, might the use of SCP (instead of sftp subsystem) and a limited
shell be able to achieve your goal?
I found this when googling for "limited shell":
http://lshell.ghantoos.org/
Look at the "Use case".
There's also rbash, but on first glance lshell looks quite promising.
Kai
--
Get your w
On Wed, Feb 3, 2010 at 9:26 AM, James B. Byrne wrote:
>
> On Wed, February 3, 2010 09:48, Ned Slider wrote:
> > James B. Byrne wrote:
> >> Note: I am digest subscriber so if you could copy me directly on
> >> any reply to the list I would appreciate it very much.
> >>
> >
> >
> >
> >> After a mo
On Wed, 2010-02-03 at 10:26 -0500, James B. Byrne wrote:
>
> So, I am left still seeking answers to my original questions.
>
> 1. Is it possible to mount the selinux filesystem twice on the same
> host having different roots?
Mount --bind *before* the chroot environment is entered should do the
On Wed, February 3, 2010 09:48, Ned Slider wrote:
> James B. Byrne wrote:
>> Note: I am digest subscriber so if you could copy me directly on
>> any reply to the list I would appreciate it very much.
>>
>
>
>
>> After a modest amount of research we decided that the
>> best answer was to use a mo
James B. Byrne wrote:
> Note: I am digest subscriber so if you could copy me directly on any
> reply to the list I would appreciate it very much.
>
> After a modest amount of research we decided that the
> best answer was to use a more recent version of OpenSSH (5.3p1)that
> supports chroot as
13 matches
Mail list logo
