LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-29-2009, 02:31 AM   #1
NaCo
Member
 
Registered: Jun 2002
Location: L.A.
Distribution: Fedora
Posts: 46

Rep: Reputation: 15
Chroot SSH problem: ssh working, not SFTP & SCP.


Hello community,

I have ran a shell script to chroot SSH, this way users will not be able to browse directories and files out of the jail.

The script can be found at:
http://www.fuschlberger.net/?lang=&n...&t=&dir=&c=&n=

After installation I am able to successfully ssh my fedora box from a remote xp host using putty. Good! chrooted ssh is working, not the case of SFTP and SCP.

Using the same process with WinSCP results in failure.
Going after the logs I found out the following:

Jan 28 23:41:15 localhost sshd[5454]: Accepted password for testuser from 10.10.10.51 port 4385 ssh2
Jan 28 23:41:15 localhost sshd[5454]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Jan 28 23:41:15 localhost sshd[5456]: subsystem request for sftp
Jan 28 23:41:15 localhost sudo: testuser : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/chroot/home/testuser ; USER=root ; COMMAND=/usr/sbin/chroot /home/chroot /bin/su - testuser -c /usr/libexec/openssh/sftp-server
Jan 28 23:41:15 localhost sshd[5454]: pam_unix(sshd:session): session closed for user testuser

I cat my sudoers files and I find an entry for this user at the end of the file:
testuser ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - testuser

I cannot figure it out though.
I lack knowledge editing this file.

Any help, suggestion will be appreciated.

Thank you
NaCo
 
Old 01-31-2009, 02:59 PM   #2
alan_ri
Senior Member
 
Registered: Dec 2007
Location: Croatia
Distribution: Debian GNU/Linux
Posts: 1,733
Blog Entries: 5

Rep: Reputation: 127Reputation: 127
You could try to change /bin/su - testuser to /bin/testuser.You gave testuser some root privileges with su -. It looks to me that that's what is "confusing" sftp.
 
Old 02-01-2009, 01:12 AM   #3
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by alan_ri View Post
You could try to change /bin/su - testuser to /bin/testuser.You gave testuser some root privileges with su -. It looks to me that that's what is "confusing" sftp.
the su - testuser is trying to su to the account testuser.



OP.
you need to move some of the tty information inside of the chroot. i dont know how well that will work since you they are devices but it is worth a try

Last edited by slimm609; 02-01-2009 at 01:14 AM.
 
Old 02-01-2009, 02:23 AM   #4
NaCo
Member
 
Registered: Jun 2002
Location: L.A.
Distribution: Fedora
Posts: 46

Original Poster
Rep: Reputation: 15
FIXED!

Thank you guys!


I got it to work,I just needed to change a setting in the sudoers configuration file, take a look to:

http://www.howtoforge.com/forums/showthread.php?t=30777

NaCo (AKA:angelito,angel,angelcool)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
allow ssh, scp and sftp? javier_ccs Linux - Newbie 6 09-12-2006 08:11 AM
SFTP with Chrooting and without SSH and SCP toraghun Linux - Security 1 07-10-2006 05:11 AM
Restrict ssh/sftp with chroot? Chowroc Linux - Networking 4 01-25-2005 10:48 AM
SSH - where are scp and sftp satimis Linux - Networking 2 11-15-2003 10:27 AM
ssh working, but not sftp scp hardigunawan Linux - Networking 2 05-02-2003 02:04 AM


All times are GMT -5. The time now is 07:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration