LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-25-2011, 12:47 PM   #16
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled

Dear Kewpie,
For a test I have added a user and assign him to sftponly group. Then I add this add the end of my sshd config file.

Quote:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Thereafter I restart my ssh and I get this error.

Starting sshd: /etc/ssh/sshd_config: line 120: Bad configuration option: Match
/etc/ssh/sshd_config: line 122: Bad configuration option: ForceCommand
/etc/ssh/sshd_config: terminating, 2 bad configuration options
 
Old 10-25-2011, 01:21 PM   #17
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78
newbie14,
  1. i think you should start with "man sshd_config". 1st understand what the options are.
  2. how can your sftp work if its commented out in sshd_config? try
    Code:
    Subsystem sftp internal-sftp
  3. also, add another line at the end, add the word "Match" w/o quotes. apparently some sshd's require Match clauses to be closed.
  4. if your sshd is pam-a-fied (aka pam enabled) then you could also use PAM to polyinstantiate the user after login.

Last edited by Linux_Kidd; 10-25-2011 at 02:09 PM.
 
Old 10-25-2011, 11:39 PM   #18
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Linux,
I have tried your suggestion.

Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Match
and I get this error
Starting sshd: /etc/ssh/sshd_config: line 121: Bad configuration option: Match
/etc/ssh/sshd_config: line 123: Bad configuration option: ForceCommand
/etc/ssh/sshd_config: line 125: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 3 bad configuration options

I have read a bit on PAM is to restrict user for sshd access rite. I am sorry I am new to this. I check there is a folder /etc/pam.d does that mean I have pam installed ready?
 
Old 10-26-2011, 02:11 AM   #19
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
right, so there are config directives not recognised, so yeah, now you have a valid reason to look at upgrading, so give it a go.

yes you have pam installed.
 
Old 10-26-2011, 04:42 AM   #20
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78
Quote:
Originally Posted by acid_kewpie View Post
right, so there are config directives not recognised, so yeah, now you have a valid reason to look at upgrading, so give it a go.

yes you have pam installed.
well, the man page for his version will show supported options.

newbiew14 - can you copy/paste your man sshd_config here, wrap in in code tags.
 
Old 10-26-2011, 07:21 AM   #21
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Acid,
Well with the old openssh I mean the 4.3.2 how do you do the limitations? Ok I will go with the updating following the link which you have provided earlier ok.
 
Old 10-26-2011, 07:25 AM   #22
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Linux,
Here is my sshd_config. I remove whatever I have done as there are errors int it. Where will the man page located I am not sure where to get it from?
Quote:
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path

# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
 
Old 10-26-2011, 08:03 AM   #23
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78
can you give us context as to why you are trying to configure all this? is this for personal use, are you trying to support a business function, what? if you dont know how to issue "man sshd_config" at the command prompt then i think our attempts to help you will be futile. my best suggestion is to search this forum for "linux tutorial" (i even linked the word "search" for you so all you need to do is click on it). you need to know the bare minimum before you can move onto the basics, etc.

my suggestion for you to post the output of "man sshd_config" was not for others reading this, it was for you to read the output and try to understand it, etc.
 
Old 10-26-2011, 12:32 PM   #24
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Linux,
For now is personal use and gaining knowledge how to go about with linux. Sorry I got mixed up I thought you wanted the sshd_config file. Yes I know about man I am reading the man now and it mention about chroot etc.So what do you suggest me to do next upgrade my ssh then follow the link given or you have other suggestion?
 
Old 10-26-2011, 12:46 PM   #25
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78
Quote:
Originally Posted by newbie14 View Post
Dear Linux,
For now is personal use and gaining knowledge how to go about with linux. Sorry I got mixed up I thought you wanted the sshd_config file. Yes I know about man I am reading the man now and it mention about chroot etc.So what do you suggest me to do next upgrade my ssh then follow the link given or you have other suggestion?
i wanted you to read the man page to see what options it says are valid. are the options "Match" and "ForceCommand" listed?? (hence why i asked you to post the complete output of the man page).

so since its for personal use you have leisure time to learn. its best you read up on some basic linux via the tutorials, then tackle basic configuration of services, and then after that tackle how to do advanced configuration of services (in your realm chroot of sshd would be advanced).

cheers.
 
Old 10-26-2011, 10:00 PM   #26
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Linux,
How to copy the whole man for sshd here? Can you guide me? I checked ready both Match and Force Command is not there. So I guess no choice but to upgrade rite?
 
Old 10-27-2011, 03:56 AM   #27
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
just run "man sshd_config" , or at the very worst, just google it.
 
Old 10-27-2011, 04:29 AM   #28
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78
Quote:
Originally Posted by newbie14 View Post
Dear Linux,
How to copy the whole man for sshd here? Can you guide me? I checked ready both Match and Force Command is not there. So I guess no choice but to upgrade rite?
well, if the command options are not listed in the man page then you should be able to figure out that those commands will not work and thats why you were getting errors. upgrade to a newer version of openSSH and perhaps openSSL.
 
Old 10-27-2011, 12:40 PM   #29
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear All,
I will do the necessary updates and then get back to you guys for any help after the updates.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HP Deskjet Q...how to confine all install files to one directory? cbjhawks SUSE / openSUSE 1 09-16-2010 08:23 AM
How to confine remote users to their home directories? Scuzz Slackware 3 08-31-2009 08:40 AM
Confine Metacity windows to within desktop? General Linux - Desktop 0 03-19-2007 12:35 AM
fvwm: how do i confine windows? SciYro Linux - Software 0 09-02-2005 10:56 PM
confine the output of 'ps -aux' for a user? houler Slackware 7 04-25-2005 11:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration