LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-13-2012, 11:20 AM   #1
draeath
LQ Newbie
 
Registered: Jul 2007
Location: Atlanta Area, GA, USA
Distribution: CentOS/RH/Debian
Posts: 24

Rep: Reputation: 0
rssh - sftp and scp nonfunctional


Hello,

I've got a centos6 server. I want to give someone SCP access for their webspace but prevent them from running amok in the shell. rssh seems like a good fit - so I installed it from yum (in official repos), put it in /etc/shells, and did a chsh for him.

However, it doesn't seem to work. For example, if he tries to use WinSCP he gets either:

"Cannot initialize SFTP protocol. Is the host running a SFTP server?" or "Error skipping startup message. Your shell is probably incompatible with the application."

If I check /var/log/secure, I see him successfully log in and request the SFTP or SCP subsystem, then immediately disconnect.

I've checked my audit logs and SELinux (which is enforcing) is not blocking anything.

If I use another shell (bash or rbash) it works, but I don't want him to have shell access (bash is out) and rbash is quite easy to circumvent.

Here's a copy of my rssh config. As you can see I've done nothing but uncomment the three "allow" lines.

Code:
# This is the default rssh config file

# set the log facility.  "LOG_USER" and "user" are equivalent.
logfacility = LOG_USER

# Leave these all commented out to make the default action for rssh to lock
# users out completely...

allowscp
allowsftp
#allowcvs
#allowrdist
allowrsync

# set the default umask
umask = 022

# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
# chrootpath = /usr/local/chroot

# You can quote anywhere, but quotes not required unless the path contains a
# space... as in this example.
#chrootpath = "/usr/local/my chroot"

##########################################
# EXAMPLES of configuring per-user options

#user=rudy:077:00010:  # the path can simply be left out to not chroot
#user=rudy:077:00010   # the ending colon is optional

#user=rudy:011:00100:  # cvs, with no chroot
#user=rudy:011:01000:  # rdist, with no chroot
#user=rudy:011:10000:  # rsync, with no chroot
#user="rudy:011:00001:/usr/local/chroot"  # whole user string can be quoted
#user=rudy:01"1:00001:/usr/local/chroot"  # or somewhere in the middle, freak!
#user=rudy:'011:00001:/usr/local/chroot'  # single quotes too

# if your chroot_path contains spaces, it must be quoted...
# In the following examples, the chroot_path is "/usr/local/my chroot"
#user=rudy:011:00001:"/usr/local/my chroot"  # scp with chroot
#user=rudy:011:00010:"/usr/local/my chroot"  # sftp with chroot
#user=rudy:011:00011:"/usr/local/my chroot"  # both with chroot

# Spaces before or after the '=' are fine, but spaces in chrootpath need
# quotes.
#user = "rudy:011:00001:/usr/local/my chroot"
#user = "rudy:011:00001:/usr/local/my chroot"  # neither do comments at line end
 
Old 06-14-2012, 09:16 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
I think you want him to only be able to sftp, not full ssh... try this http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5
http://www.openbsd.org/cgi-bin/man.c...penBSD+Current
 
  


Reply

Tags
restrictions, shells, ssh access


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SFTP via rssh on Gentoo mcjules Linux - Software 0 01-15-2008 05:02 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 01:40 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 01:00 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 11:00 AM
RSSH with SFTP or some other alternative mattdyke Linux - Security 3 10-12-2006 02:21 PM


All times are GMT -5. The time now is 12:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration