On Tue, 26 Mar 2024 10:28:11 +0100
Sylvain Saboua wrote:
> Match User media
> ForceCommand internal-sftp -d /home/media
> ChrootDirectory /home/media
> PasswordAuthentication yes
> AuthenticationMethods none
> PermitEmptyPasswords yes
you probably also
On Tue, 26 Mar 2024 at 23:49, Sylvain Saboua wrote:
[...]
> /bin/true is not in the /etc/shells file on my system.
> Did you suggest I should add it ?
I did suggest that as a possible resolution to your problem. Since
your problem is now resolved, I wouldn't change it.
--
Darren Tucker (dtucke
Problem solved, thank you !
Just removing the password asterisk using vipw was enough :
$ grep media /etc/passwd
media::2000:2000::/home/media:/sbin/nologin
and I am now able to log in, from the local network
(still need to open my ISP's box port and confirm that it
works remotely)
Le 2024-03-2
Sylvain Saboua writes:
[...]
> $ more /etc/ssh/sshd_config # relevant extracts and changes :
> ...
> PermitRootLogin no
> ...
> # override default of no subsystems
> #Subsystem sftp /usr/libexec/sftp-server -d /home/media
> Subsystem sftp internal-sftp # -d
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...
On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua wrote:
[...]
> # useradd -g media -s /sbin/nologin -u 2000 -v media
Unless /sbin/nologin is in /etc/shells (which it probably sho
$ more /etc/ssh/sshd_config # relevant extracts and changes :
...
PermitRootLogin no
...
# override default of no subsystems
#Subsystem sftp/usr/libexec/sftp-server -d /home/media
Subsystem sftp internal-sftp # -d /home/media
Match User media
ForceCommand internal-sftp -d /home
Stuart Henderson :
> Do you have the correct directory?
>
> The user's home directory is appended to ChrootDirectory. e.g. in your example
> something like /home/of/the/hackers/home/myftpuser.
Super good, now I'm also chrooted..
Thanks a lot, Stuart!
-- Daniele Bonini
On 2023-03-09, Daniele Bonini wrote:
> I configured sshd to chroot ftp requests in this way:
>
> Match User myftpuser
> ChrootDirectory /home/of/the/hackers
> ForceCommand internal-sftp
>
> giving the proper permissions to the destination dir, etc.
> as from Peter doc too.
Do you have the
> let's remain on sftp topic..
I finally managed to receive the proper answers from my hosting
that permitted me change sshd port successfully.
On the other hand I came across some Linoox doc about how-to produce
a chroot ssh environment to make the sshd_config settings meaningful and
running a
On Thu, 9 Mar 2023 13:13:40 +0100
"Peter N. M. Hansteen" wrote:
> Further to the "why would you want to?" issue, I offer this from the
> Hail Mary Cloud cycle:
> https://bsdly.blogspot.com/2013/02/theres-no-protection-in-high-ports.html
About the only benefit is that having a non-standard port
Here I am with one more trouble..
(I'm still waiting proper reply from the hosting for the change of
sshd port and the related consequences to the VPS console but let's
remain on sftp topic..)
I configured sshd to chroot ftp requests in this way:
Match User myftpuser
ChrootDirectory /home
Peter N. M. Hansteen :
>
> That little guide I posted a link to has a section about setting up
> a separate set of users for sftp
Thank you for your answers and the doc too, Peter.
While I'm reading you I'm trying to grasp from my hosting what are they
enforcing
under their gui layer to understa
On Thu, Mar 09, 2023 at 01:31:47PM +0100, Daniele Bonini wrote:
>
> > change it to any number you want.
>
> VPS here come in a nice package with a default web console over ssh.
>
> An other one: if I try to nobody the user default shell
> I'm out of any luck to be able to connect.
That little g
cor...@free.fr wrote:
>
> Since sftp uses ssh port, you can just change the port for sshd.
> in sshd_config:
>
> Port 22
>
> change it to any number you want.
VPS here come in a nice package with a default web console over ssh.
An other one: if I try to nobody the user default shell
I'm out
On Thu, Mar 09, 2023 at 12:47:14PM +0100, Daniele Bonini wrote:
>
> I'm wondering if there is any chance to change the default
> listening port for sftp-server.
>
> NB: I'm using it on my Linoox VPS but I see from the man
> a given OpenBSD 2.8 port origin.
it is i
On 09/03/2023 19:47, Daniele Bonini wrote:
Hello,
I'm wondering if there is any chance to change the default
listening port for sftp-server.
NB: I'm using it on my Linoox VPS but I see from the man
a given OpenBSD 2.8 port origin.
Thanks, appreciated!
-- Daniele Bonini
Since
Hello,
I'm wondering if there is any chance to change the default
listening port for sftp-server.
NB: I'm using it on my Linoox VPS but I see from the man
a given OpenBSD 2.8 port origin.
Thanks, appreciated!
-- Daniele Bonini
On Fri, Dec 01, 2017 at 02:59:38AM -0500, Jiri B wrote:
> On Thu, Nov 30, 2017 at 05:36:57PM -0600, Edgar Pettijohn wrote:
> > I was looking into how best to secure a sftp-server. The manual
> > mentions a -Q option to query protocol features supported. I added the
> &
On Thu, Nov 30, 2017 at 05:36:57PM -0600, Edgar Pettijohn wrote:
> I was looking into how best to secure a sftp-server. The manual
> mentions a -Q option to query protocol features supported. I added the
> following line to sshd_config.
>
> Subsystem sftp /usr/libexec/s
I was looking into how best to secure a sftp-server. The manual
mentions a -Q option to query protocol features supported. I added the
following line to sshd_config.
Subsystem sftp/usr/libexec/sftp-server sftp -Q requests
So far I'm not sure how to get at the information provid
configuration of the
environment is necessary if the in-process sftp server is used, though
sessions which use logging do require /dev/log inside the chroot
directory (see sftp-server(8) for details)."
Syslogd has the following flags in rc.conf.local: syslogd_flags="-a
/home/chroot/dev/log&qu
#(this is the default line)
> Subsystem sftp/usr/libexec/sftp-server
You should change this line to:
Subsystem sftp internal-sftp
and it should work.
--
Manolis Tzanidakis
http://mtzanidakis.com/
mtzanidakis[at]gmail[dot]com
> Here is a snip from my sshd_config
>
> #(this is the default line)
> Subsystem sftp/usr/libexec/sftp-server
>
> #added the following match block
> Match Group remote-sync, Address 127.0.0.1
> ChrootDirectory /home/chroot/%u
> ForceCommand in
ult line)
> Subsystem sftp/usr/libexec/sftp-server
>
> #added the following match block
> Match Group remote-sync, Address 127.0.0.1
> ChrootDirectory /home/chroot/%u
> ForceCommand internal-sftp -f LOCAL0 -l INFO
> AllowAgentForwarding no
>
Hello,
(running current with OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012)
I'm trying to setup chrootdirectory in sshd_config as a test configuration
without success.
Here is a snip from my sshd_config
#(this is the default line)
Subsystem sftp/usr/libexec/sftp-server
#adde
On Sun, 27 Mar 2011 21:38:58 +0800
Marcus wrote:
> sftp-server logging with chroot in OpenBSD?
>
> I want to log upload/download information in sftp server
I don't know where is your problem but this is how it works for me ;)
jirib
Match User
ChrootDirecto
Marcus,
(nice name, by the way :-)
f5b...@gmail.com (Marcus), 2011.03.27 (Sun) 15:38 (CEST):
> 4. http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8
> For logging to work, sftp-server must be able to access /dev/log. Use
of
> sftp-server in a chroot
sftp-server logging with chroot in OpenBSD?
I want to log upload/download information in sftp server
test two user "root" and a chroot user "share"
1. add a sftp only user share
/etc/passwd file
root:*:0:0:Charlie &:/root:/bin/ksh
...
share:*:1000:1000:share:/home/share
egard.
Penned by Denis Doroshenko on 20100108 18:31.28, we have:
| On 1/8/10, Todd T. Fries wrote:
| > You can chroot internal-sftp but not external.
|
| well i chrooted external no prob, just put insude the chroot what ldd
| /usr/libexec/sftp-server and i found out that the only thing, which i
On 1/8/10, Todd T. Fries wrote:
> You can chroot internal-sftp but not external.
well i chrooted external no prob, just put insude the chroot what ldd
/usr/libexec/sftp-server and i found out that the only thing, which is
sftp-server couldn't live without is /etc/pwd.db (besides minima
You can chroot internal-sftp but not external.
Penned by Denis Doroshenko on 20100108 16:50.31, we have:
| hi,
|
| is there any benefits of using internal-sftp over
| /usr/libexec/sftp-server (which is being used with default
| sshd_config)? sshd_config(5) says:
|
| For file
hi,
is there any benefits of using internal-sftp over
/usr/libexec/sftp-server (which is being used with default
sshd_config)? sshd_config(5) says:
For file transfer sessions using
``sftp'', no additional configuration of the environment is nec-
his in sshd_config:
>
> Subsystem sftp sftp-server -u 0022
Thanks, Darren. I see also that it's now also possible to explicitly
specify the identity file to use (-i) with the sftp client. Both are,
for me, sought after improvements.
The sftp-server manual page in -current mentions t
Lars Nooden wrote:
How can umask be set on the remote host for chrooted sftp users?
You can set it on the server side with sftp-server's "-u" option but
that's very new (post 4.6).
You would have something like this in sshd_config:
Subsystem sftp sftp-server -u 002
On Saturday 31 October 2009 10.13.44 you wrote:
> How can umask be set on the remote host for chrooted sftp users?
[...]
Setup a umask for your users' class in login.conf(5). Perhaps add them in a
new class, eg.:
master.passwd(5):
user:*:1001:1001:sftp:0:0::/home/user:/bin/ksh
login.conf(5):
sft
, nor did
/etc/csh.cshrc or /etc/csh.login
A workaround for non-chroot sftp: If the sftp user authenticated using a
key, then the key in the ~/.ssh/authorized_keys file can be modified
with this: command="umask 0002;/usr/libexec/sftp-server;" but that
constrains that key to sftp use only an
dn't allow for reading.
> I'm not sure if sftp-server ever reads from /dev/null, but it is not
> impossible. Strange errors will occur if this is the case.
>
>
Im thinking it might just be easier to make a copy of the /dev/null device,
but i need to investigate and test this...
On Friday 23 June 2006 16:42, Richard Wilson wrote:
> The only small fly in the ointment, is that according to
> http://pizzashack.org/rssh/platforms.shtml it doesn't work on *BSD,
> as it requires the missing wordexp() function. However, the page
> dates back to 2003, and I haven't the skills to c
Joshua Sandbrook wrote:
Gidday
Im writing a shell at the moment that chroots into a users home dir and then
runs only the sftp-server program ( which is in the uses home dir ).
Anyway, it wont work unless /dev/null is present in the chroot...
I am using execve to run sftp-server, and I am
ion might be to write a trivial shell and just have
> > /home/*/dev/null. Or, for that matter, /home/dev/null and chroot into
> > /home.
>
> Thanks for the reply...
>
> It is sftp-server that tries to open /dev/null.
>
> As I dont want to modify sftp-server or anythi
Thanks for the reply...
It is sftp-server that tries to open /dev/null.
As I dont want to modify sftp-server or anything like that, I think im going
to just populate each chroot environment with a /dev/null. However, as I dont
want /home to have any devices on it, is there a way to have some
On Wed, Jun 21, 2006 at 09:41:42AM +1200, Joshua Sandbrook wrote:
> Gidday
>
> Im writing a shell at the moment that chroots into a users home dir and then
> runs only the sftp-server program ( which is in the uses home dir ).
>
> Anyway, it wont work unless /dev/null is pre
wrote:
> Gidday
>
> Im writing a shell at the moment that chroots into a users home dir and
> then runs only the sftp-server program ( which is in the uses home dir ).
>
> Anyway, it wont work unless /dev/null is present in the chroot...
>
> I am using execve to run sftp-server,
Gidday
Im writing a shell at the moment that chroots into a users home dir and then
runs only the sftp-server program ( which is in the uses home dir ).
Anyway, it wont work unless /dev/null is present in the chroot...
I am using execve to run sftp-server, and I am wondering if it has
On Mon, Jan 23, 2006 at 11:10:16PM +0200, turha turha wrote:
> users are added, I'm guessing sftp-server doesn't inherit this functionality
> from ssh either, so is there any place to adjust the behavior ? or am I
> supposed to use some other tool to monitor sftp usage ?
>
ged in, but sftp users are not shown, I'm guessing this is
because they are not added to utmp, but why they aren't added I can't figure
out, AFAIK sftp-server subsystem doesn't have any flags like regular ftp
(for which -U , if I remember correctly, does the trick), and since ssh
On 8/2/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
> Just ran into a wall with the scponly option:
>
> "If you do use chroot(), your binary will need to be setuid."
>
> I'll pass on that one for now...
systrace could probably mitigate most of the risk here ... (privsep,
if you're good enoug
Just ran into a wall with the scponly option:
"If you do use chroot(), your binary will need to be setuid."
I'll pass on that one for now...
-mike
Quoting Scott Francis <[EMAIL PROTECTED]>:
On 8/2/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
Hi Scott;
Ran across this one yesterday, ju
pf would work fine, maybe with a tarpit-like (as in spamd-setup?). Not
sure if I want to be bothered with entertaining others though ;-) -mike
Quoting Scott Francis <[EMAIL PROTECTED]>:
On 8/2/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
Hi Scott;
Ran across this one yesterday, just wa
On 8/2/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
> Hi Scott;
>
> Ran across this one yesterday, just wasn't sure how secure it is as
> sftp-only. So far it looks like this will be what I may use, throwing
> in tcp-wrappers.
not a lot of difference between scp and sftp (aside from sftp bei
Hi Scott;
Ran across this one yesterday, just wasn't sure how secure it is as
sftp-only. So far it looks like this will be what I may use, throwing
in tcp-wrappers.
Thanks,
-mike
Quoting Scott Francis <[EMAIL PROTECTED]>:
On 8/1/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
[snip]
I
On 8/1/05, Michael C. Ibarra <[EMAIL PROTECTED]> wrote:
[snip]
> I am currently migrating/upgrading an entire farm of servers from
> RedHat Linux & Solaris to current and one of the roadblocks I am
> encountering is setting a chrooted sftp. I am aware of chroot.sf, but
> am looking for a solution
Greetings All;
First, it's great to be back, miss my obsd toys!
I am currently migrating/upgrading an entire farm of servers from
RedHat Linux & Solaris to current and one of the roadblocks I am
encountering is setting a chrooted sftp. I am aware of chroot.sf, but
am looking for a solution t
53 matches
Mail list logo