On Fri, Feb 6, 2009 at 12:43 PM, Derek Martin <[email protected]> wrote:
> On Fri, Feb 06, 2009 at 12:13:22PM -0600, Robert Dailey wrote:
> > Match user kenny
> > X11Forwarding no
> > AllowTcpForwarding no
> > ForceCommand internal-sftp
> > ChrootDirectory /mnt/kenny
> >
> > When I try to connect to the server using user 'kenny', it fails to allow
> me
> > to connect as if ChrootDirectory is still taking control of handling
> chroot,
>
> That's because it is... you need to shut that off. Anything sshd does
> happens before rssh is involved, so if you tell sshd to chroot, it
> will, and you'll be subject to all those same restrictions.
>
> > What else can I do?
>
> After you fix sshd, then you need to read all the documentation
> regarding setting up a chroot jail with rssh. It's complicated, and
> system-dependent, so you need to have a good understanding of how it
> works before you will be successful.
>
> Why doesn't rssh do this for you? It's because rssh works with your
> sshd (which may be any version of OpenSSH, or even some other sshd).
> OpenSSH's chroot functionality can take care of this all for you,
> because it is doing it on behalf of itself... it knows exactly which
> of its files and supporting programs it will need to copy into the
> jail. Whereas rssh is working with an unspecified third-party SSH
> implementation, all it can really do is guess, and there's a good
> chance it will guess wrong. Not only that, but you may need
> additional files or programs to meet your specific needs (e.g. you may
> or may not want cvs binaries, rsync, etc.)... So it's crucial that
> the sysadmin understands the process.
>
> This is the same reason why I don't fold in updates that people send
> to the example script I provide for setting up a chroot jail. The
> details are platform-dependent, and also sshd-dependent. Changes
> people make will almost certainly not work for other people with
> different configurations... So, rather than trying to write (and
> maintain) code that figures all that out, for every conceivable
> configuration of sshd, it's left as an excercise for you, the system
> administrator. But I've given you good docs to explain it -- it's up
> to you to read them.
I've read the docs (man pages) for
rssh<http://www.digipedia.pl/man/rssh.1.html>and
rssh.conf <http://www.digipedia.pl/man/rssh.conf.5.html>, however I am at a
stopping point. I really don't know enough about linux, rssh, or ssh to be
able to diagnose these problems by myself. So while it is easy to tell
someone to reference the docs, that's not always the appropriate solution to
all questions. I've done as much reading as I can. If you have more I can
read, please provide me links to them so I may read them. If there is
nothing else to read, then I would appreciate it if someone could help me
out with my specific issues. The very fact that rssh is platform-dependent
means that each problem is probably never the same and needs special
attention. Documentation does not address platform-level configuration or
troubleshooting when the goal is to make the documentation generic.
For example, none of the documentation I read stated what the owner, group,
and permissions should be on the chroot directory. In addition, sftp (in
sshd_config by default on Archlinux) is configured to be:
"Subsystem sftp /usr/lib/ssh/sftp-server"
And when I try to connect via SFTP using WinSCP, it says:
*Connection has been unexpectedly closed. Server sent command exit status 1.
Cannot initialize SFTP protocol. Is the host running a SFTP server?*
Not sure what to do. The documentation isn't helping.
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
rssh-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
