|
|
|||||||
| OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
 |
|
|
Thread Tools | Display Modes |
25th June 2008
|
|||
|
|||
obsd 4.3 chrooted sftp permissions?
Hi there
I'm trying since a couple of days to setup a chrooted sftp access to a test obsd machine running apache. Ideally I would like to grant group access to update some web content but after checking all I found, I'm still unsuccessful  Here are the relevant details ... Code:
# OpenBSD 4.3 GENERIC#0 i386 SFTPG=webgroup SFTPU=webadmin SFTPP=webadminpass SFTPD=/var/www/htdocs/project mkdir $SFTPD groupadd -v $SFTPG useradd -c "webadmin user" -d / -g $SFTPG -p $(encrypt -b 6 $SFTPP) -s /sbin/nologin $SFTPU chown root:$SFTPG $SFTPD chmod 0755 $SFTPD Code:
# /etc/ssh/sshd_config #Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp Match group $SFTPG ChrootDirectory $SFTPD X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp Code:
kill -HUP `cat /var/run/sshd.pid` Any attempt to change the group permissions, chmod g+w $SFTPD or similar, results in NOT being able to successfully start a session ... Code:
psftp -v -l webadmin -pw webadminpass 192.168.1.50 Looking up host "192.168.1.50" Connecting to 192.168.1.50 port 22 Server version: SSH-2.0-OpenSSH_4.8 We claim version: SSH-2.0-PuTTY_Release_0.60 Using SSH protocol version 2 Doing Diffie-Hellman group exchange Doing Diffie-Hellman key exchange with hash SHA-256 Host key fingerprint is: ssh-rsa 2048 b6:fb:6a:7b:ea:5e:1a:71:52:c9:a5:c5:d8:fa:61:27 Initialised AES-256 SDCTR client->server encryption Initialised HMAC-SHA1 client->server MAC algorithm Initialised AES-256 SDCTR server->client encryption Initialised HMAC-SHA1 server->client MAC algorithm Using username "webadmin". Keyboard-interactive authentication refused Sent password Access granted Server unexpectedly closed network connection Fatal: Server unexpectedly closed network connection  Any comments/remarks are most welcome Luismi Last edited by luismi; 25th June 2008 at 07:15 PM. 
|
|
26th June 2008
|
|||
|
|||
Try to take a look to rksh. It's really functional, even if is not a real chrooted environment
|
|
26th June 2008
|
|||
|
|||
|
The typical problem with a chroot environment is that you need to provide a copy of the necessary configuration into the chroot.
Config files in "/etc" which normally are accessible by a non-chrooted daemon, need to brought into the chroot environment when you run a chrooted version. In case you haven't seen it, http://www.openbsd.org/faq/faq10.html#httpdchroot has an example.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|
|
11th July 2008
|
|||
|
|||
|
sftp chroot NOT httpd chroot
Hello,
I'm experiencing the exact problem as luismi. Standard recipe for granting sftp only access to a directory via "internal-sftp" in OpenSSH (sshd_config mods) lets the user access the directory, but with no write privileges. chmod of directory breaks the ability to login to the directory. (sftp seems happy with 755 on my box.) As I understand the documentation for OpenBSD 4.3, chroot for sftp is independent of chroot for httpd (/var/www). So, I'd be surprised if adding files to ChrootDirectory grants the desired write privileges. The ability to break sftp by chmod-ing ChrootDirectory makes me think that sshd_config may require additional mods. Thanks, jon4t2
|
|
12th July 2008
|
|||
|
|||
|
Everything's working properly
Hello Again,
A bit more digging on the Web found the answer: Since the sftponly user (foo) does not own the chroot'ed directory (/home/foo), the user does not have write privileges. So, everything's working properly. The fix? Create a new directory inside the chroot'ed directory (/home/foo/writeable) and chown it to the sftponly user (chown foo:sftponly /home/foo/writeable). More thorough descriptions of chroot'ing internal-sftp in OpenSSH can be found at: <http://forums.gentoo.org/viewtopic-t-698685.html?sid=26554189975046c317082e5dfffbeca6> <http://adamsworld.name/chrootjail5.php> <http://www.minstrel.org.uk/papers/sftp/builtin.html> The novice (i.e. me) should be careful though, as these are Linux instructions. I found that using "usermod -d" and "usermod -s" to change the user profile broke the login. However, creating an sftponly group works quite well. With a "Match Group sftponly" instruction in sshd_config, "usermod -g" easily adds a new user to the sftponly group. Script wizards are encouraged to port the scripts presented in the Gentoo Forum listed above. Thanks, jon4t2
|
|
| Tags |
| chmod, chroot, obsd 4.3, permissions, sftp |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| openBSD4.4 + Chrooted apache1.3 + php5 + sessions | wolf3d | OpenBSD Packages and Ports | 1 | 2nd July 2009 11:07 AM |
| Sftp Bus error: 10 (core dumped) | smokem | FreeBSD General | 0 | 21st April 2009 12:45 PM |
| List of users connected by sftp. | amscotti | OpenBSD General | 7 | 1st April 2009 07:26 PM |
| PureFTP + TLS / or SFTP | plexter | OpenBSD Security | 11 | 6th October 2008 10:32 PM |
| build a sftp server | milo974 | OpenBSD General | 9 | 26th September 2008 11:09 AM |
Linear Mode
