I'm setting up a test environment using OpenSSH built in sFTP server. What I want to-do is build a chroot environment where people can connect to
I have sort-of got this by setting the shell to sftp-server. bizarre, I know, but it works, and a copy of /bin/true does not. in both the real and chroot'ed /etc/passwd's I set the shell to the full path to sftp-server, and sftp works, ssh does not. ssh actually connects and will sit there until you type something, but as soon as you type anything sftp-server says "what is this rubbish?" and promptly hangs up on you. I don't have any real shell, or any other binary besides sftp-server in my chroot tree, and even though users can upload their own, they cannot execute it because their shell is only sftp-server, which is not a shell and cannot execute anything. I hope it doesn't have any cases where it could execute any external program like ls (I know it doesn't need ls specifically, just as an example the way ftpd often uses a ls binary in the chroot path). otherwise a person might be able to upload a shell named <whatever sftp-server might exec> this is OpenSSH 3.5p1 with chroot patch, on SCO Open Server 5.0.6 ------------ Actually it does. I tried /bin/false and it fails to setup the ssh connection properly. I guess the shell will let sftp only run specific sftp commands, anything else causes it to exit. -----Original Message----- From: Scott Venier [mailto:scottven@umich.edu] Sent: Wednesday, January 30, 2002 10:58 AM To: wlug@mail.wlug.org Subject: Re: [Wlug] ssh-dummy-shell for OpenSSH??? does the ssh-dummy-shell have to actually do anything for sFTP to work, or does it just have to be in /etc/shells? If it just has to be in /etc/shells, /bin/false works. Been using that for years for (non-s)FTP-only accounts. Scott On Wed, 30 Jan 2002, Keller, Tim wrote: the
machine via sFTP but not via SSH.
I know with the commercial version of SSH they have ssh-dummy-shell which when you try to connect via SSH just bails on you, but lets sFTP work properly.
I've done some digging on the web and I haven't found anything that'll replace this functionality on the OpenSSH side of things.
Anybody got any ideas/links of an open source version of ssh-dummy-shell.
Thanks, Tim. _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug -- Brian K. White -- brian@aljex.com -- http://www.aljex.com/bkw/ +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++. filePro BBx Linux SCO Prosper/FACTS AutoCAD #callahans Satriani
Be careful. OpenSSH has some features that could compromise your security. It lets the user set environment variables when the user connects. A user could upload a library and override C Library functions with LD_PRELOAD to execute whatever they want. There are a couple sftp-only shells that were designed to handle being used in the manner you want, but they caution you to disable the rc features in sshd_config or take other security precautions: http://www.pizzashack.org/rssh/security.shtml On Sat, Feb 08, 2003 at 03:51:38AM -0500, Brian K. White wrote: brian> I have sort-of got this by setting the shell to sftp-server. brian> bizarre, I know, but it works, and a copy of /bin/true does not. brian> brian> in both the real and chroot'ed /etc/passwd's I set the shell to the full brian> path to sftp-server, and sftp works, ssh does not. brian> brian> ssh actually connects and will sit there until you type something, but brian> as soon as you type anything sftp-server says "what is this rubbish?" brian> and promptly hangs up on you. brian> brian> I don't have any real shell, or any other binary besides sftp-server in brian> my chroot tree, and even though users can upload their own, they cannot brian> execute it because their shell is only sftp-server, which is not a shell brian> and cannot execute anything. I hope it doesn't have any cases where it brian> could execute any external program like ls (I know it doesn't need ls brian> specifically, just as an example the way ftpd often uses a ls binary in brian> the chroot path). otherwise a person might be able to upload a shell brian> named <whatever sftp-server might exec> brian> brian> this is OpenSSH 3.5p1 with chroot patch, on SCO Open Server 5.0.6 -- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886
Here's a chroot patch to sftp-server.c for openssh-3.5p1 that I use that may be of some use to you: http://www.alt219.com/software/sftp-server-chroot/ Ebon On Wed, 30 Jan 2002, Keller, Tim wrote:
I'm setting up a test environment using OpenSSH built in sFTP server. What I want to-do is build a chroot environment where people can connect to the machine via sFTP but not via SSH.
I know with the commercial version of SSH they have ssh-dummy-shell which when you try to connect via SSH just bails on you, but lets sFTP work properly.
I've done some digging on the web and I haven't found anything that'll replace this functionality on the OpenSSH side of things.
Anybody got any ideas/links of an open source version of ssh-dummy-shell.
Thanks, Tim. _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Hi all, Can you please tell me how can I make a line that will not proccessed in file named /etc/passwd. There are so many users in my machine, what I want to do is I want to clasisfication the user with a defined title, so by this, I can easily see where the user is according the definition that I'll make. Eg in file /etc/passwd I want to make like this # Europe - Jakarta # South Asia - Jakarta # Australia - Jakarta I want to put that words as comment in file /etc/passwd Can you friends tell me how to make it ? Thanks.
Hi all,
Can you please tell me how can I make a line that will not proccessed in file named /etc/passwd. There are so many users in my machine, what I want to do is I want to clasisfication the user with a defined title, so by this, I can easily see where the user is according the definition
----- Original Message ----- From: <aramico@duahati.com> To: <wlug@mail.wlug.org> Sent: Friday, February 28, 2003 10:42 AM Subject: [Wlug] Make the diffrence! that
I'll make.
Eg in file /etc/passwd
I want to make like this
# Europe - Jakarta # South Asia - Jakarta # Australia - Jakarta
I want to put that words as comment in file /etc/passwd
Can you friends tell me how to make it ?
Thanks.
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
participants (4)
-
aramico@duahati.com -
Brian K. White -
Charles R. Anderson -
ele3@bach.eenetworks.com