LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   rssh - sftp and scp nonfunctional (https://www.linuxquestions.org/questions/linux-security-4/rssh-sftp-and-scp-nonfunctional-4175411231/)

draeath 06-13-2012 10:20 AM
rssh - sftp and scp nonfunctional
 
Hello,

I've got a centos6 server. I want to give someone SCP access for their webspace but prevent them from running amok in the shell. rssh seems like a good fit - so I installed it from yum (in official repos), put it in /etc/shells, and did a chsh for him.

However, it doesn't seem to work. For example, if he tries to use WinSCP he gets either:

"Cannot initialize SFTP protocol. Is the host running a SFTP server?" or "Error skipping startup message. Your shell is probably incompatible with the application."

If I check /var/log/secure, I see him successfully log in and request the SFTP or SCP subsystem, then immediately disconnect.

I've checked my audit logs and SELinux (which is enforcing) is not blocking anything.

If I use another shell (bash or rbash) it works, but I don't want him to have shell access (bash is out) and rbash is quite easy to circumvent.

Here's a copy of my rssh config. As you can see I've done nothing but uncomment the three "allow" lines.

Code:
# This is the default rssh config file

# set the log facility.  "LOG_USER" and "user" are equivalent.
logfacility = LOG_USER

# Leave these all commented out to make the default action for rssh to lock
# users out completely...

allowscp
allowsftp
#allowcvs
#allowrdist
allowrsync

# set the default umask
umask = 022

# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
# chrootpath = /usr/local/chroot

# You can quote anywhere, but quotes not required unless the path contains a
# space... as in this example.
#chrootpath = "/usr/local/my chroot"

##########################################
# EXAMPLES of configuring per-user options

#user=rudy:077:00010:  # the path can simply be left out to not chroot
#user=rudy:077:00010  # the ending colon is optional

#user=rudy:011:00100:  # cvs, with no chroot
#user=rudy:011:01000:  # rdist, with no chroot
#user=rudy:011:10000:  # rsync, with no chroot
#user="rudy:011:00001:/usr/local/chroot"  # whole user string can be quoted
#user=rudy:01"1:00001:/usr/local/chroot"  # or somewhere in the middle, freak!
#user=rudy:'011:00001:/usr/local/chroot'  # single quotes too

# if your chroot_path contains spaces, it must be quoted...
# In the following examples, the chroot_path is "/usr/local/my chroot"
#user=rudy:011:00001:"/usr/local/my chroot"  # scp with chroot
#user=rudy:011:00010:"/usr/local/my chroot"  # sftp with chroot
#user=rudy:011:00011:"/usr/local/my chroot"  # both with chroot

# Spaces before or after the '=' are fine, but spaces in chrootpath need
# quotes.
#user = "rudy:011:00001:/usr/local/my chroot"
#user = "rudy:011:00001:/usr/local/my chroot"  # neither do comments at line end

chrism01 06-14-2012 08:16 PM
I think you want him to only be able to sftp, not full ssh... try this http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5
http://www.openbsd.org/cgi-bin/man.c...penBSD+Current


All times are GMT -5. The time now is 01:16 AM.