I've found sftponly shell to be really effective at making sftp chroots (without shell access). Its even got a shell script to build the chroot.
I can't remember the url for it off the top of my head, but I'm sure a google for sftponly would find it in the first result.
Theo
-----Original Message----- From: "Montana Quiring" montanaq@gmail.com
Date: Mon, 18 Feb 2008 14:12:01 To:roundtable@muug.mb.ca Subject: [RndTbl] chrooted sftp sessions using rssh
Hello,
I've been banging my head against the wall for a while now. My head is sore. Please help! :)
=========== What happens: =========== See log below of sftp session. Essentially what happens is when I try to sftp into the server it asks for the password then I get a "Connection closed" message.
What I've done: =========== 1. verified home directory, and changed default shell to be rssh in: /etc/passwd
2. when I run: #ldd /var/rssh/libexec/rssh_chroot_helper I get... linux-gate.so.1 => (0x00dfd000) libc.so.6 => /lib/libc.so.6 (0x0054c000) /lib/ld-linux.so.2 (0x0052e000) I've copied all of /lib into the users /home/testuser/lib directory (just to make sure) and it had all but the first file listed above. I read that I don't have to worry about the linux-gate.so.1 file, is that true?
3. made a null file: #mknod -m 666 /home/testuser/dev/null c 1 3
4. copied over the usr, var directories from what was supposed to be a working chrooted directory
=============== Here are some Files: ===============
/var/rssh/etc/rssh.conf -------------------------- logfacility = LOG_USER allowsftp umask = 022 user=testuser:011:00010:"/home/testuser"
/etc/ssh/ssh_config ---------------------- Host * GSSAPIAuthentication yes ForwardX11Trusted yes
/etc/ssh/sshd_config ---------------------- Protocol 2 SyslogFacility AUTHPRIV PermitRootLogin no AllowUsers testuser PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server
=============== Here are some Logs ===============
See below for the sftp session and some log results... *********START**************** quiringm@montanaqL-67769:~$ sftp -v testuser@company.com Connecting to company.com... OpenSSH_4.6p1 Debian-5ubuntu0.1, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to company.com [206.45.100.100] port 22. debug1: Connection established. debug1: identity file /home/quiringm/.ssh/id_rsa type -1 debug1: identity file /home/quiringm/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.0 debug1: match: OpenSSH_4.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'company.com' is known and matches the RSA host key. debug1: Found key in /home/quiringm/.ssh/known_hosts:3 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Next authentication method: publickey debug1: Trying private key: /home/quiringm/.ssh/id_rsa debug1: Trying private key: /home/quiringm/.ssh/id_dsa debug1: Next authentication method: password testuser@company.com's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_CA.UTF-8 debug1: Sending subsystem: sftp debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.4 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 1 Connection closed ************END******************
Here's is the tail from /var/log/secure: **********START********************** Feb 6 11:41:44 company sshd[28011]: Accepted password for testuser from ::ffff:192.168.1.254 port 58539 ssh2 Feb 6 11:41:44 company sshd[28015]: subsystem request for sftp *********END******************
Here's the tail from /var/log/messages **********START************* Feb 6 11:41:44 company sshd(pam_unix)[28015]: session opened for user testuser by (uid=0) Feb 6 11:41:44 company rssh[28016]: setting log facility to LOG_USER Feb 6 11:41:44 company rssh[28016]: allowing sftp to all users Feb 6 11:41:44 company rssh[28016]: setting umask to 022 Feb 6 11:41:44 company rssh[28016]: line 73: configuring user testuser Feb 6 11:41:44 company rssh[28016]: setting testuser's umask to 011 Feb 6 11:41:44 company rssh[28016]: allowing sftp to user testuser Feb 6 11:41:44 company rssh[28016]: chrooting testuser to /home/testuser Feb 6 11:41:44 company rssh[28016]: chroot cmd line: /var/rssh/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server" Feb 6 11:41:44 company sshd(pam_unix)[28015]: session closed for user testuser *************END*****************
here's the tail from /var/log/audit/audit.log **START*********** type=USER msg=audit(1202320405.636:5044225): user pid=28189 uid=0 auid=4294967295 msg='PAM authentication: user=testuser exe=/usr/sbin/sshd (hostname=192.168.1.254, addr=192.168.1.254, terminal=ssh result=Success)' type=USER msg=audit(1202320405.942:5044280): user pid=28189 uid=0 auid=4294967295 msg='PAM accounting: user=testuser exe=/usr/sbin/sshd (hostname=192.168.1.254, addr=192.168.1.254, terminal=ssh result=Success)' type=USER msg=audit(1202320406.251:5044474): user pid=28191 uid=0 auid=4294967295 msg='PAM session open: user=testuser exe=/usr/sbin/sshd (hostname=192.168.1.254, addr=192.168.1.254, terminal=ssh result=Success)' ***********END************** _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable