[SOLVED] sshd_config error Bad configuration option: PermitLocalCommand

MrUmunhum · 11-22-2012, 01:03 PM

Hi group,

I am having a problem with sshd_config. I am trying to implement PermitLocalCommand and LocalCommand. I have updated my config file with this:

Code:

PermitLocalCommand  yes
LocalCommand        /usr/local/bin/check_sftp_limit.php

Match Group vms

        ChrootDirectory /home/vms
        ForceCommand internal-sftp

But when I try to execute I get these error messages:

Code:

 /usr/sbin/sshd  -f /etc/ssh/vms_config 
/etc/ssh/vms_config: line 29: Bad configuration option: PermitLocalCommand
/etc/ssh/vms_config: line 30: Bad configuration option: LocalCommand
/etc/ssh/vms_config: terminating, 2 bad configuration options

These options are in the man page as valid. It fails on my Fedora 13, raspbian ( Debian ) and with the latest source ( OpenSSH_6.0p1 Debian-3, OpenSSL 1.0.1c 10 May 2012 ).

Do I need to compile the source with some special option??

Thanks for your time.

bathory · 11-22-2012, 04:18 PM

Hi,

Both these options are intended to be used with ssh (the client), not sshd (the server). So if you want to use them, add them in /etc/ssh/ssh_config.

Regards

MrUmunhum · 11-23-2012, 11:04 AM

Quote:

Originally Posted by bathory

Hi,

Both these options are intended to be used with ssh (the client), not sshd (the server). So if you want to use them, add them in /etc/ssh/ssh_config.

Regards

Not the answer I was looking for but does answer the question.

Thanks.

Turbocapitalist · 11-24-2012, 07:05 AM

Quote:

Originally Posted by MrUmunhum

Not the answer I was looking for but does answer the question.

Thanks.

What were you looking for? Maybe there is another way to reach the results you intended.

MrUmunhum · 11-25-2012, 12:59 PM

Quote:

Originally Posted by Turbocapitalist

What were you looking for? Maybe there is another way to reach the results you intended.

What I need to do is limit the number of connection made by a SFTP user. I have tried many ways that don't completely work. I need a way to run a script when the user logs in. I have the script but I can't figure a way to call it other than tailing /var/log/messages for 'Accepted password for user'. Which will work but then there is the log rotate problem. I really don't want to modify SFTP.

This is the script I want to run:

Code:

#!/usr/bin/php
<?php
$Find    = "/bin/ps --no-header -C sshd -o pid,etime,uname,comm,ppid,args | "
         . "/bin/grep internal-sftp  | tr -s ' '";
$Count   = 0;
$Running = explode( "\n", trim( shell_exec( $Find ) ) );

foreach( $Running as $Line )  {
  $Line = trim($Line);
  $cmd  = explode( " ", "$Line" );
  if( $cmd[2] === 'user' )  {  
    if( ++$Count > 2 )  {
      shell_exec( "/bin/logger Limit exceeded $Line" ); 
      shell_exec( "/bin/kill -usr1 $cmd[4]" );  }
      exit;  }  }
?>

It works great but how to call it?

Turbocapitalist · 11-25-2012, 01:16 PM

You can run a script on successful login either in /etc/ssh/sshrc or in ~/.ssh/rc It can't be allowed to produce any output to stdout, though.

If you run sshd under xinetd instead of as a daemon, you can limit the number per ip address using per_source. It's not the same a limiting per user, but close. Maybe you could have the script check how many times the user is logged in already and drop the connection if the max is exceeded.