- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: How do you chroot your openssh users
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-19-2007 03:45 AM
тАО04-19-2007 03:45 AM
SolutionHowever, reading the updates to this thread (and the names next to them) I'm starting to wonder whether I'm trying to do the same thing.
Therefore, I will hide the possible sillyness in an attachment. I've written what I just did in a little text file.
Should it be what you need, excellent. Otherwise, forgive me ;-)
Cheers,
Wout
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-21-2007 09:31 PM
тАО04-21-2007 09:31 PM
Re: How do you chroot your openssh users
I thank you for you input.
I believe that going with the latest tar based version is a possibility for us.
I will report results.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2007 10:14 PM
тАО04-22-2007 10:14 PM
Re: How do you chroot your openssh users
curios results.
sftp yaira@localhost
/var/log/messages
Apr 23 13:12:40 gate sshd(pam_unix)[28957]: session opened for user yaira by (uid=0)
Apr 23 13:12:40 gate jk_chrootsh[28958]: now entering jail /home/ftpusers/yaira for user yaira (14618)
Apr 23 13:12:40 gate sshd(pam_unix)[28957]: session closed for user yaira
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2007 10:17 PM
тАО04-22-2007 10:17 PM
Re: How do you chroot your openssh users
*grind grind*
Ooh, two things:
- try and create a /tmp directory within your jail.
- double check whether the right path to the sftpd executable is in the configuration.
G'luck :-)
Cheers,
Wout
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2007 11:32 PM
тАО04-22-2007 11:32 PM
Re: How do you chroot your openssh users
Why ? It's on my OEL:
Before issuing the jk_init statements I needed to edit /etc/jailkit/jk_init.ini (to change the sftp-server path to /usr/libexec/openssh/sftp-server)
Later, when editing /home/sftproot/etc/jailkit/jk_lsh.ini I forgot to adapt the 'executable' part:
[group sftpu]
paths=/usr/lib/
executables= /usr/lib/sftp-server
allow_word_expansion = 0
umask = 002
This logged me out instantly as well. However there's a message in the syslog. (WARNING: user ftp1 (501) tried to run '/usr/libexec/openssh/sftp-server', which is not allowed according to /etc/jailkit/jk_lsh.ini)
After changing:
executables= /usr/lib/sftp-server
to:
executables= /usr/libexec/openssh/sftp-server
..it works again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2007 11:37 PM
тАО04-22-2007 11:37 PM
Re: How do you chroot your openssh users
Your approach solved the problem.
Due to the fact I used an rpm based jailkit and our server environment, I made some changes.
You will notice that this code is mostly yours.
This is not final, I will post a final version after unit testing.
The core problem was in my script, instead of dealing with the individual permissions problems I encounted at login, I openned up permissions too widely breaking the jail.
I have to run and help my wife shop and stuff, and will then assign points. Obviously Wouter is going to get a pair of bunnies. Approaches I decided not to test will be rated subjectively.
#!/bin/bash
set -x
USERNAME=$1
useradd -m -g client ${USERNAME}
passwd ${username}
mkdir -p /home/ftpusers/${USERNAME}
/usr/sbin/jk_init -v /home/ftpusers/${USERNAME} sftp scp
/usr/sbin/jk_init -v /home/ftpusers/${USERNAME} jk_lsh
/usr/sbin/jk_jailuser -m -n -j /home/ftpusers/${USERNAME} ${USERNAME}
cd /home/ftpusers/${USERNAME}
/bin/chown -R {USERNAME}:client home/
/bin/chown -R ${USERNAME}:client usr/
/bin.chown -R ${USERNAME}:client lib/
# chown ${USERNAME}:client /home/ftpusers/yaira//usr/sbin/jk_lsh
chmod a+rx ${USERNAME}/
chmod a+rx etc/
chmod a+rx etc/passwd
chmod a+rx etc/group
chmod u+rx /home/ftpusers/yaira//home/
chmod u+rx /home/ftpusers/yaira//home/yaira/
cd etc/jailkit
sed s/sftp/${USERNAME}/g jk_lsh.ini > jk_lsh.ini.bck;
mv jk_lsh.ini.bck jk_lsh.ini
killall jk_socketd
jk_socketd
exit 0
Shmuel
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2007 03:02 AM
тАО04-23-2007 03:02 AM
Re: How do you chroot your openssh users
A bunny from a two-star olympian can make one's day ;-)
Cheers,
Wout
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2007 10:07 AM
тАО04-23-2007 10:07 AM
Re: How do you chroot your openssh users
Here is a good one, case of Linux discrimination.
Bezeq, the local equivalent of AT&T before the breakup has a pretty fast Internet service, ADSL.
They hand out modems that also double as routers. B-FOCuS 312+.
Pretty decent router. My VOIP phone (btw my old phone phone still works if you wanna chat) loves it no problems. Its got a proprietary OS, perhaps a Linux distribution but it figuers out things just fine.
Aside: work pays for the connection because its critical I can get in and do work even if my street which has a 25 degree uphill grade is iced over.
My windows box figures things out with no issues.
Linux. No dice. A few websites work on browser, most just stare at me. I ignore the problem. We have a second connection I got on a long term contract for $19 a month that works fine with Linux.
Kid's discover Internet games, start chewing up their connection. Someone wants to watch Battlestar Galactica and we don't have a TV (bittorrent? I didn't post that did I).
With my little lab here the collision domain in my office is terrible and I can't avoid the problem any more. I must figure out why my Linux boxes won't work with bezeq. I thought the router was broken. Nah.
Turns out the router has a little DHCP server. Hands out addresses 10.0.0.1-something with a HUGE collision domain netmask 255.0.0.0. /etc/resolv.conf says nameserver 10.0.0.138
Now this thing hands out addresses no problem at all. dig and nslookup return answers instantly.
Something about the web browser doesn't like it.
I turn off iptables.
I turn of ip6tables (what is that for?)
I turn off and uninstall firestarter(great tool).
Doesn't help.
A few hours ago I decided (FC btw) to try and turn off SELINUX. I didn't do it right (say RHCE three times) and the box kernel panics. Can't even boot single user mode, had to boot rescue mode. Where was the DVD? Actually it was ith all the other important ones in a protective case. Whew.
Customer service, router must be broken? My Hebrew may NEVER be good enough for that.
Finally in desparation I turn to go to Dr. Google.
Input search.
bezeq DNS servers (a tough search because bezeq is a transliteration of a three letter word)
First link says change the MTU=1492 in ifcfg file. No help.
Next link lists Bezeq's NAME servers.
That works. I can browse on my Linux box and am currently in a browsing frenzy.
The why is meaningful if we ever figure it out.
Seems Windows can take the DHCP handoff which is designed specifically for it. Linux can't. not Centos, not RH, not Fedora Core 6.
Tried all kinds of browser proxy configuration but Bezeq dosn't have a proxy server.
Whew.
For my next trick, finding a program that lets my systems SMS my phone in Israel when they are unhappy. rpm based?
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2007 09:28 PM
тАО04-23-2007 09:28 PM
Re: How do you chroot your openssh users
> lets my systems SMS my phone in Israel when
> they are unhappy. rpm based?
May not be what you're looking for but you could look at Hylafax. As well as its faxing capabilities it also provides a SNPP server which can be configured to send SMS messages.
Downside is that it needs to be configured with a modem to dial out to a SMS gateway. I'm guessing you're probably looking for a 'net based version...
CHeers,
Rob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2007 03:34 PM
тАО04-25-2007 03:34 PM
Re: How do you chroot your openssh users
if [ "${PEERDNS}" = "no" ]; then
# Do not update/replace resolv.conf.
PUMPARGS="${PUMPARGS} -d"
DHCPCDARGS="${DHCPCDARGS} -R"
fi
)
If you had SELINUX turned on, it may have been preventing the daemon from modifying '/etc/resolv.conf' dynamically.
As for software to SMS you, from experience, it's easier to just use a 3rd party email-to-SMS gateway. It's not the software that's the issue, it's the getting the teleco service.
Just a brief note on the how-to: http://www.developershome.com/sms/howToSendSMSFromPC.asp