[RndTbl] chrooted sftp sessions using rssh

Theodore Baschak theodore at nerdzone.ca
Mon Feb 18 14:30:55 CST 2008


I've found sftponly shell to be really effective at making sftp chroots (without shell access). Its even got a shell script to build the chroot.

I can't remember the url for it off the top of my head, but I'm sure a google for sftponly would find it in the first result.

Theo

-----Original Message-----
From: "Montana Quiring" <montanaq at gmail.com>

Date: Mon, 18 Feb 2008 14:12:01 
To:roundtable at muug.mb.ca
Subject: [RndTbl] chrooted sftp sessions using rssh


Hello,

I've been banging my head against the wall for a while now. My head is
sore. Please help! :)


===========
What happens:
===========
See log below of sftp session.
Essentially what happens is when I try to sftp into the server it asks
for the password then I get a "Connection closed" message.


What I've done:
===========
1. verified home directory, and changed default shell to be rssh in:
/etc/passwd

2. when I run:
#ldd /var/rssh/libexec/rssh_chroot_helper
I get...
        linux-gate.so.1 =>  (0x00dfd000)
        libc.so.6 => /lib/libc.so.6 (0x0054c000)
        /lib/ld-linux.so.2 (0x0052e000)
I've copied all of /lib into the users /home/testuser/lib directory
(just to make sure) and it had all but the first file listed above.
I read that I don't have to worry about the linux-gate.so.1 file, is that true?

3. made a null file:
#mknod -m 666 /home/testuser/dev/null c 1 3

4. copied over the usr, var directories from what was supposed to be a
working chrooted directory

===============
Here are some Files:
===============

/var/rssh/etc/rssh.conf
--------------------------
logfacility = LOG_USER
allowsftp
umask = 022
user=testuser:011:00010:"/home/testuser"

/etc/ssh/ssh_config
----------------------
Host *
        GSSAPIAuthentication yes
        ForwardX11Trusted yes

/etc/ssh/sshd_config
----------------------
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
AllowUsers testuser
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

===============
Here are some Logs
===============

See below for the sftp session and some log results...
*********START****************
quiringm at montanaqL-67769:~$ sftp -v testuser at company.com
Connecting to company.com...
OpenSSH_4.6p1 Debian-5ubuntu0.1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to company.com [206.45.100.100] port 22.
debug1: Connection established.
debug1: identity file /home/quiringm/.ssh/id_rsa type -1
debug1: identity file /home/quiringm/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.0
debug1: match: OpenSSH_4.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'company.com' is known and matches the RSA host key.
debug1: Found key in /home/quiringm/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Next authentication method: publickey
debug1: Trying private key: /home/quiringm/.ssh/id_rsa
debug1: Trying private key: /home/quiringm/.ssh/id_dsa
debug1: Next authentication method: password
testuser at company.com's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_CA.UTF-8
debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.4 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1
Connection closed
************END******************

Here's is the tail from /var/log/secure:
**********START**********************
Feb  6 11:41:44 company sshd[28011]: Accepted password for testuser
from ::ffff:192.168.1.254 port 58539 ssh2
Feb  6 11:41:44 company sshd[28015]: subsystem request for sftp
*********END******************

Here's the tail from /var/log/messages
**********START*************
Feb  6 11:41:44 company sshd(pam_unix)[28015]: session opened for
user testuser by (uid=0)
Feb  6 11:41:44 company rssh[28016]: setting log facility to LOG_USER
Feb  6 11:41:44 company rssh[28016]: allowing sftp to all users
Feb  6 11:41:44 company rssh[28016]: setting umask to 022
Feb  6 11:41:44 company rssh[28016]: line 73: configuring user testuser
Feb  6 11:41:44 company rssh[28016]: setting testuser's umask to 011
Feb  6 11:41:44 company rssh[28016]: allowing sftp to user testuser
Feb  6 11:41:44 company rssh[28016]: chrooting testuser to /home/testuser
Feb  6 11:41:44 company rssh[28016]: chroot cmd line:
/var/rssh/libexec/rssh_chroot_helper 2
"/usr/libexec/openssh/sftp-server"
Feb  6 11:41:44 company sshd(pam_unix)[28015]: session closed for
user testuser
*************END*****************

here's the tail from /var/log/audit/audit.log
**START***********
type=USER msg=audit(1202320405.636:5044225): user pid=28189 uid=0
auid=4294967295 msg='PAM authentication: user=testuser
exe=/usr/sbin/sshd (hostname=192.168.1.254, addr=192.168.1.254,
terminal=ssh result=Success)'
type=USER msg=audit(1202320405.942:5044280): user pid=28189 uid=0
auid=4294967295 msg='PAM accounting: user=testuser exe=/usr/sbin/sshd
(hostname=192.168.1.254, addr=192.168.1.254, terminal=ssh
result=Success)'
type=USER msg=audit(1202320406.251:5044474): user pid=28191 uid=0
auid=4294967295 msg='PAM session open: user=testuser
exe=/usr/sbin/sshd (hostname=192.168.1.254, addr=192.168.1.254,
terminal=ssh result=Success)'
***********END**************
_______________________________________________
Roundtable mailing list
Roundtable at muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable



More information about the Roundtable mailing list