Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Dear Kewpie,
For a test I have added a user and assign him to sftponly group. Then I add this add the end of my sshd config file.
Quote:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Thereafter I restart my ssh and I get this error.
Starting sshd: /etc/ssh/sshd_config: line 120: Bad configuration option: Match
/etc/ssh/sshd_config: line 122: Bad configuration option: ForceCommand
/etc/ssh/sshd_config: terminating, 2 bad configuration options
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Match
and I get this error
Starting sshd: /etc/ssh/sshd_config: line 121: Bad configuration option: Match
/etc/ssh/sshd_config: line 123: Bad configuration option: ForceCommand
/etc/ssh/sshd_config: line 125: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 3 bad configuration options
I have read a bit on PAM is to restrict user for sshd access rite. I am sorry I am new to this. I check there is a folder /etc/pam.d does that mean I have pam installed ready?
Dear Acid,
Well with the old openssh I mean the 4.3.2 how do you do the limitations? Ok I will go with the updating following the link which you have provided earlier ok.
Dear Linux,
Here is my sshd_config. I remove whatever I have done as there are errors int it. Where will the man page located I am not sure where to get it from?
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner /some/path
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
can you give us context as to why you are trying to configure all this? is this for personal use, are you trying to support a business function, what? if you dont know how to issue "man sshd_config" at the command prompt then i think our attempts to help you will be futile. my best suggestion is to search this forum for "linux tutorial" (i even linked the word "search" for you so all you need to do is click on it). you need to know the bare minimum before you can move onto the basics, etc.
my suggestion for you to post the output of "man sshd_config" was not for others reading this, it was for you to read the output and try to understand it, etc.
Dear Linux,
For now is personal use and gaining knowledge how to go about with linux. Sorry I got mixed up I thought you wanted the sshd_config file. Yes I know about man I am reading the man now and it mention about chroot etc.So what do you suggest me to do next upgrade my ssh then follow the link given or you have other suggestion?
Dear Linux,
For now is personal use and gaining knowledge how to go about with linux. Sorry I got mixed up I thought you wanted the sshd_config file. Yes I know about man I am reading the man now and it mention about chroot etc.So what do you suggest me to do next upgrade my ssh then follow the link given or you have other suggestion?
i wanted you to read the man page to see what options it says are valid. are the options "Match" and "ForceCommand" listed?? (hence why i asked you to post the complete output of the man page).
so since its for personal use you have leisure time to learn. its best you read up on some basic linux via the tutorials, then tackle basic configuration of services, and then after that tackle how to do advanced configuration of services (in your realm chroot of sshd would be advanced).
Dear Linux,
How to copy the whole man for sshd here? Can you guide me? I checked ready both Match and Force Command is not there. So I guess no choice but to upgrade rite?
Dear Linux,
How to copy the whole man for sshd here? Can you guide me? I checked ready both Match and Force Command is not there. So I guess no choice but to upgrade rite?
well, if the command options are not listed in the man page then you should be able to figure out that those commands will not work and thats why you were getting errors. upgrade to a newer version of openSSH and perhaps openSSL.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.