draeath |
06-13-2012 10:20 AM |
rssh - sftp and scp nonfunctional
Hello,
I've got a centos6 server. I want to give someone SCP access for their webspace but prevent them from running amok in the shell. rssh seems like a good fit - so I installed it from yum (in official repos), put it in /etc/shells, and did a chsh for him.
However, it doesn't seem to work. For example, if he tries to use WinSCP he gets either:
"Cannot initialize SFTP protocol. Is the host running a SFTP server?" or "Error skipping startup message. Your shell is probably incompatible with the application."
If I check /var/log/secure, I see him successfully log in and request the SFTP or SCP subsystem, then immediately disconnect.
I've checked my audit logs and SELinux (which is enforcing) is not blocking anything.
If I use another shell (bash or rbash) it works, but I don't want him to have shell access (bash is out) and rbash is quite easy to circumvent.
Here's a copy of my rssh config. As you can see I've done nothing but uncomment the three "allow" lines.
Code:
# This is the default rssh config file
# set the log facility. "LOG_USER" and "user" are equivalent.
logfacility = LOG_USER
# Leave these all commented out to make the default action for rssh to lock
# users out completely...
allowscp
allowsftp
#allowcvs
#allowrdist
allowrsync
# set the default umask
umask = 022
# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
# chrootpath = /usr/local/chroot
# You can quote anywhere, but quotes not required unless the path contains a
# space... as in this example.
#chrootpath = "/usr/local/my chroot"
##########################################
# EXAMPLES of configuring per-user options
#user=rudy:077:00010: # the path can simply be left out to not chroot
#user=rudy:077:00010 # the ending colon is optional
#user=rudy:011:00100: # cvs, with no chroot
#user=rudy:011:01000: # rdist, with no chroot
#user=rudy:011:10000: # rsync, with no chroot
#user="rudy:011:00001:/usr/local/chroot" # whole user string can be quoted
#user=rudy:01"1:00001:/usr/local/chroot" # or somewhere in the middle, freak!
#user=rudy:'011:00001:/usr/local/chroot' # single quotes too
# if your chroot_path contains spaces, it must be quoted...
# In the following examples, the chroot_path is "/usr/local/my chroot"
#user=rudy:011:00001:"/usr/local/my chroot" # scp with chroot
#user=rudy:011:00010:"/usr/local/my chroot" # sftp with chroot
#user=rudy:011:00011:"/usr/local/my chroot" # both with chroot
# Spaces before or after the '=' are fine, but spaces in chrootpath need
# quotes.
#user = "rudy:011:00001:/usr/local/my chroot"
#user = "rudy:011:00001:/usr/local/my chroot" # neither do comments at line end
|