Hello,
I'm trying to set up restricted ssh on my test system before making any
rollout decisions, and I'm a bit stuck.
I have /usr/medent/users as my chroot directory, and
/usr/medent/users/insco_test as the login users home directory. I have a
symbolic link: /users --> /usr/medent/users
The chroot jail with `scp' works, but sftp doesn't, and for the life of me,
I can't figure out why.
I'm using CentOS, equiv to Red Hat 3.4.6-8 on a Linux 2.6.9-55 kernel.
I recompiled from openssh-4.7p1.tar.gz, and I installed the rpm: rssh-
2.3.2-1.2.el4.rf.i386.rpm
The config didn't like I had an insecure zlib, so I configured with the
switch:
--without-zlib-version-check
make and make install ran OK.
For diagnosis, I run debug on the sshd, and verbose on the ssh client.
If I send a file scp it works.
The debugs on the daemon say in part:
..................... snip ........................
debug2: fd 8 setting O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug2: fd 10 setting O_NONBLOCK
debug2: channel 0: read 378 from efd 10
debug2: channel 0: rwin 131072 elen 378 euse 1
debug2: channel 0: sent ext data 378
.... /snip .......
The verbose text on the client says in part:
..................... snip ........................
Environment:
USER=insco_test
LOGNAME=insco_test
HOME=/insco_test
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
MAIL=/var/mail/insco_test
SHELL=/usr/bin/rssh
SSH_CLIENT=10.80.8.113 4235 22
SSH_CONNECTION=10.80.8.113 4235 10.80.12.20 22
debug3: channel 0: close_fds r -1 w -1 e -1 c -1
Could not chdir to home directory /insco_test: No such file or directory
cut.txt
100% 1508 1.5KB/s 00:00
.... /snip .......
If I create the directory /insco_test, the file goes to the right place:
/usr/medent/users/insco_test which is within the chroot jail, so the client
error
"Could not chdir..." is a red herring.
If I use sftp instead of scp, I get an error if /usr/bin/rssh is my shell:
The debugs on the daemon say in part:
..................... snip ........................
subsystem request for sftp
debug1: subsystem: exec() /usr/medent/users/usr/libexec/openssh/sftp-server -
l VERBOSE
debug2: fd 3 setting TCP_NODELAY
debug2: fd 8 setting O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug2: channel 0: read<=0 rfd 8 len 0
debug2: channel 0: read failed
debug2: channel 0: close_read
.... /snip .......
On bash instead of rssh, I don't get the read <=0 line ....
The Verbose text on the client show:
..................... snip ........................
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0
Connection closed
.... /snip .......
Uncommented lines in /etc/rssh.conf are:
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath = "/usr/medent/users"
user=insco_test:011:00011:"/usr/medent/users" # both with chroot
the pertinent line in my password file are:
insco_test:x:734:501::/insco_test:/usr/bin/rssh
I have all the pertinent libraries in ldd scp and ldd sftp. One of the
libraries is
libz.so.1. and the configure of openssh didn't like my zlib. Is that my
problem why
scp works and sftp doesn't? I copied *all* libraries from /lib
and /usr/lib into /users/lib
and /users/usr/lib respectively as suggested in the FAQ, but still the same.
Next step was to run strace; My connection spawns a child process :
..................... snip ........................
[pid 29484] stat64("/usr/medent/users/usr/libexec/openssh/sftp-server",
{st_mode=S_IFREG|S_ISUID|S_ISGID|0777, st_
size=141125, ...}) = 0^M
[pid 29484] write(2, "debug1: subsystem: exec() /usr/m"..., 88debug1:
subsystem: exec() /usr/medent/users/usr/libe
xec/openssh/sftp-server -l VERBOSE^M^M
) = 88^M
[pid 29484] socketpair(PF_FILE, SOCK_STREAM, 0, [7, 8]) = 0^M
[pid 29484] socketpair(PF_FILE, SOCK_STREAM, 0, [9, 10]) = 0^M
[pid 29484] clone(Process 29485 attached^M
.... /snip .......
It seems to work until I see this in the Strace:
..................... snip ........................
[pid 29484] select(9, [3 5 8], [], NULL, NULL <unfinished ...>^M
[pid 29485] write(2, " HOME=/insco_test\n", 19) = 19^M
[pid 29485] write(2, " PATH=/usr/bin:/bin:/usr/sbin:/"..., 52) = 52^M
[pid 29485] write(2, " MAIL=/var/mail/insco_test\n", 28) = 28^M
[pid 29485] write(2, " SHELL=/usr/bin/rssh\n", 22) = 22^M
[pid 29485] write(2, " SSH_CLIENT=10.80.8.113 2252 22"..., 33) = 33^M
[pid 29485] write(2, " SSH_CONNECTION=10.80.8.113 225"..., 49) = 49^M
[pid 29485] close(3) = 0^M
[pid 29485] write(2, "debug3: channel 0: close_fds r -"..., 50) = 50^M
[pid 29485] close(3) = -1 EBADF (Bad file descriptor)^M
[pid 29485] close(4) = 0^M
[pid 29485] close(5) = 0^M
[pid 29485] close(6) = 0^M
[pid 29485] close(7) = 0^M
[pid 29485] close(8) = -1 EBADF (Bad file descriptor)^M
[pid 29485] close(9) = 0^M
[pid 29485] close(10) = -1 EBADF (Bad file descriptor)^M
.... /snip .......
It then closes over 1000 file descriptors under the spawned PID.
What could this problem be?
Thanks!
This message has been scanned for viruses and dangerous content by MailScanner
& ClamAV.
This message and any attachments may contain information that is protected by
law as privileged and confidential, and is transmitted for the sole use
of the intended recipient(s). If you are not the intended recipient, you are
hereby notified that any use, dissemination, copying or retention of this e-mail
or the information contained herein is strictly prohibited. If you received
this e-mail in error, please immediately notify the sender by e-mail, and
permanently
delete this e-mail.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
rssh-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
