Tru64 Unix v5.1B SSH2D chroot environment
From: Cosmin Moldoveanu (cosmin_m_at_yahoo.com)
Date: 10/28/04
- Previous message: Ann Majeske: "Re: Passwordless user for Tru64 5.0 Rev.910"
- Next in thread: Ann Majeske: "Re: Tru64 Unix v5.1B SSH2D chroot environment"
- Reply: Ann Majeske: "Re: Tru64 Unix v5.1B SSH2D chroot environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 28 Oct 2004 01:26:31 -0700
Hi all ,
I want to set up a chroot environment for a user that will only use
scp or sftp client software .
The ssh daemon that came with the system has this feature . You need
to do a ssh-chrootmgr <user> , wich will create a bin folder in its
home directory , modify the sshd2-config file so that the ssh daemon
will know this is a chroot user (via chrootusers) and modify
/etc/passwd file and change the default shell to /bin/ssh-dummy-shell
.
Also , i removed the welcome message from
/etc/ssh2/ssh-dummy-shell.out
I've done all this , but the setup is still not working and i don't
know how to fix it . That ssh-dummy-shell will exit at the first
inputted character . I can only imagine that the client software is
issuing a command causing the dummy-shell to exit . I also tried with
/dev/null as the shell but with the same result .
I wonder if any of you ran into this problem before me .
Any help would be greatly appreciated !
Running the sshd server with -v -d99 flags here is the output when
client connects ( i removed custom information from the output -- ip's
and username ):
==============================================================================
sshd2: SSH Secure Shell Tru64 UNIX 3.2.0
debug[302880]: SshHostKeyIO/sshhostkeyio.c:203: Reading public host
key from /etc/ssh2/hostkey.pub
debug[302880]: SshHostKeyIO/sshhostkeyio.c:288: Host key algorithms
(from disk): ssh-dss
debug[302880]: Becoming server.
debug[302880]: Creating listener
debug[302880]: Listener created
debug[302880]: no udp listener created.
debug[302880]: Running event loop
debug[302880]: ssh_sigchld_real_callback
debug[302880]: Sshd2/sshd2.c:1943: new_connection_callback
debug[302880]: Sshd2/sshd2.c:1860: Wrapping stream with
ssh_server_wrap...
debug[302880]: ssh_server_wrap: creating transport protocol
debug[302880]: SshAuthMethodServer/sshauthmethods.c:83: Added
"hostbased" to usable methods.
debug[302880]: SshAuthMethodServer/sshauthmethods.c:83: Added
"publickey" to usable methods.
debug[302880]: SshAuthMethodServer/sshauthmethods.c:83: Added
"password" to usable methods.
debug[302880]: SshAuthMethodServer/sshauthmethods.c:83: Added
"kerberos-tgt-2@ssh.com" to usable methods.
debug[302880]: SshAuthMethodServer/sshauthmethods.c:83: Added
"kerberos-2@ssh.com" to usable methods.
debug[302880]: SshAuthMethodServer/sshauthmethods.c:83: Added
"keyboard-interactive" to usable methods.
debug[302880]: ssh_server_wrap: creating userauth protocol
debug[302880]: SshUnixTcp/sshunixtcp.c:1227: using local hostname
localname.localdomain.xx
debug[302880]: Ssh2Common/sshcommon.c:541: local ip = some_ip, local
port = 22
debug[302880]: Ssh2Common/sshcommon.c:543: remote ip = other_ip,
remote port = 3200
debug[302880]: SshConnection/sshconn.c:1957: Wrapping...
debug[302880]: Sshd2/sshd2.c:1898: done.
debug[302880]: new_connection_callback returning
debug[302880]: Remote version: SSH-2.0-PuTTY-Release-0.56
debug[302880]: Ssh2Transport/trcommon.c:1913: lang s to c: `', lang c
to s: `'
debug[302880]: Ssh2Transport/trcommon.c:1978: c_to_s: cipher
aes256-cbc, mac hmac-sha1, compression none
debug[302880]: Ssh2Transport/trcommon.c:1981: s_to_c: cipher
aes256-cbc, mac hmac-sha1, compression none
debug[302880]: Sshd2/sshd2.c:1060: user 'xxx' service 'ssh-connection'
client_ip 'ip' client_port '3200' completed ''
debug[302880]: Sshd2/sshd2.c:1116: Number of groups: 1.
debug[302880]: Sshd2/sshd2.c:1119: Adding group: users, 15.
debug[302880]: Sshd2/sshd2.c:1493: output:
hostbased,publickey,password
debug[302880]: SshUnixUser/sshunixuser.c:1311: not yet implemented
sshd2[302880]: WARNING: ssh_user_validate_kerberos_password: uc not
krb
debug[302880]: Sshd2/sshd2.c:1060: user 'user' service
'ssh-connection' client_ip 'some-ip' client_port '3200' completed
'password'
debug[302880]: Ssh2AuthServer/sshauths.c:361: no_more_needed=TRUE
debug[302880]: Ssh2Common/sshcommon.c:342: Received SSH_CROSS_STARTUP
packet from connection protocol.
debug[302880]: Ssh2Common/sshcommon.c:392: Received
SSH_CROSS_ALGORITHMS packet from connection protocol.
debug[302880]: Ssh2Common/sshcommon.c:310: Received
SSH_CROSS_AUTHENTICATED packet from connection protocol.
debug[302880]: Ssh2Common/sshcommon.c:852: num_channels now 1
debug[302880]: Ssh2ChannelSession/sshchsession.c:1564: Forking without
pty
debug[302880]: Ssh2ChannelSession/sshchsession.c:1617: Executed
subsystem is "sftp"; performing crud removal (from shell output)
debug[302880]: SshConnection/sshconn.c:418: EOF from channel stream
debug[302880]: ssh_sigchld_real_callback
debug[302880]: ssh_sigchld_process_pid: calling handler pid 302885
code 254
debug[302880]: ssh_pipe_sigchld_handler: pid 302885 status 254
debug[302880]: ssh_pipe_sigchld_do_callback
debug[302880]: SshConnection/sshconn.c:418: EOF from channel stream
debug[302880]: SshConnection/sshconn.c:418: EOF from channel stream
debug[302880]: SshConnection/sshconn.c:1350: Received data when
close_sent - ignoring
debug[302880]: SshConnection/sshconn.c:1350: Received data when
close_sent - ignoring
debug[302880]: Ssh2Common/sshcommon.c:819: num_channels now 0
debug[302880]: ssh_pipe_stream_destroy
debug[302880]: Ssh2Common/sshcommon.c:180: DISCONNECT received:
Connection closed.
debug[302880]: Sshd2/sshd2.c:282: locally_generated = TRUE
debug[302880]: SshConfig/sshconfig.c:2330: Freeing pki. (host_pki !=
NULL, user_pki != NULL)
debug[302880]: SshConnection/sshconn.c:2009: Destroying SshConn
object.
debug[302880]: SshAuthMethodServer/sshauthmethods.c:88: Destroying
authentication method array.
debug[302880]: SshAppCommon/sshappcommon.c:198: Freeing global
SshRegex context.
debug[302880]: SshConfig/sshconfig.c:2330: Freeing pki. (host_pki =
NULL, user_pki = NULL)
==============================================================================
And here is the debugging output from the client - WinScp (also
without custom informations ):
. --------------------------------------------------------------------------
. WinSCP Version 3.4.2 (Build 197)
. Login time: Thursday, October 28, 2004 10:23:07 AM
. --------------------------------------------------------------------------
. Session name: xxx
. Host name: xxx (Port: 22)
. User name: xxx (Password: No, Key file: No)
. Transfer Protocol: SCP
. SSH protocol version: 2; Compression: No
. Agent forwarding: No; TIS/CryptoCard: No; KI: Yes
. Ciphers: aes,blowfish,3des,WARN,des; Ssh2DES: No
. Ping interval: 0 sec (0 = off); Timeout: 15 sec
. SSH Bugs: -,-,-,-,-,-,-,-,
. Proxy: none
. Return code variable: Autodetect; Lookup user groups: Yes
. Shell: default, EOL: 0
. Local directory: f:\, Remote directory: home, Update: No, Cache: Yes
. Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. Alias LS: No, Ign LS warn: Yes, Scp1 Comp: No
. --------------------------------------------------------------------------
. Looking up host "xxx"
. Connecting to xxx port 22
. Server version: SSH-2.0-3.2.0 SSH Secure Shell Tru64 UNIX
. We claim version: SSH-2.0-WinSCP-release-3.4.2.197
. Using SSH protocol version 2
. Doing Diffie-Hellman key exchange
. Host key fingerprint is:
. ssh-dss 1024 blablabalbla
. Initialised AES-256 client->server encryption
. Initialised AES-256 server->client encryption
! Using username "xxx".
. Session password prompt (xxx@xxx's password: )
. Asking user for password.
. Sent password
. Access granted
. Opened channel for session
. Started a shell/command
. --------------------------------------------------------------------------
. Using SCP protocol.
. Doing startup conversation with host.
. Skipping host startup message (if any).
> echo "WinSCP: this is end-of-file:0"
. Server sent command exit status 254
. All channels closed. Disconnecting
* (ESshFatal) Error skipping startup message. Your shell is probably
incompatible with the application (BASH is recommended).
* Connection has been unexpectedly closed. Server sent command exit
status 254.
===============================================================================
Also , ssh is not working . Here is the output from a freebsd machine
(after password introduction):
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 100000 rmax 16384
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd close
debug1: channel 0: output open -> drain
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to xxx closed.
debug1: Transferred: stdin 0, stdout 0, stderr 35 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 249.5
debug1: Exit status 254
================================================================================
What is intresting is the output from the putty sftp client from
windows:
Using username "xxx".
xxx@xxx's password:
Sent password
Access granted
Opened channel for session
Started a shell/command
Connected to ip_address
debug[314904]: SshUnixTcp/sshunixtcp.c:1227: using local hostname xxx
debug[314904]: /etc/nologin_xxx does not exist.
debug[314904]: Ssh2AuthCommonServer/auths-common.c:440: User xxx will
be chro
oted because username matched with deny list.
debug[314904]: Ssh2ChannelSession/sshchsession.c:877: Freeing
confidential data.
debug[314904]: SshConfig/sshconfig.c:2330: Freeing pki. (host_pki !=
NULL, user_
pki != NULL)
debug[314904]: Ssh2ChannelSession/sshchsession.c:910:
ssh_channel_session_child:
now running as user 'xxx'
debug[314904]: Ssh2AuthCommonServer/auths-common.c:440: User xxx will
be chro
oted because username matched with deny list.
debug[314904]: SshUnixUser/sshunixuser.c:1735: sia_become_user()
failed for user
204.
debug[314904]: Switching to real user 'xxx' failed!
Server sent command exit status 0
All channels closed. Disconnecting
Fatal: unable to initialise SFTP: could not connect
Thank you,
- Previous message: Ann Majeske: "Re: Passwordless user for Tru64 5.0 Rev.910"
- Next in thread: Ann Majeske: "Re: Tru64 Unix v5.1B SSH2D chroot environment"
- Reply: Ann Majeske: "Re: Tru64 Unix v5.1B SSH2D chroot environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
