- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: sftp with chroot environment issue - need help
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 04:42 AM
тАО12-09-2008 04:42 AM
I have an account with only sftp access. Also I need to configure chroot environment for this account. I ran the script /opt/ssh/utils/ssh_chroot_setup.sh
It seems the script ran fine. see below
---------------------------------
Select chroot secure shell option
----------------------------------
1 sftp
2 ssh & sftp & scp
press return key to skip this step
Option : 1
chroot setup for sftp operations
IMPORTANT NOTE:
This setup will make sure that sftp works in your chroot environment
It should not be interpreted as a restrictive sftp-only Shell.
This setup simply copies the files required for sftp to the appropriate directories under the newroot.
Now configuring the chroot environment for sftp ...finished
Summary
--------
Chroot-ed user : ganesh
Chroot-ed user's new root directory : /newroot
Secure Shell configuration : SFTP
press Return key
But still the user is able to browse root dir and other directories.
sftp> pwd
Remote working directory: /newroot/home/ganesh
sftp> cd /
sftp> ls
bin cdrom
dev etc
home
lib lost+found newroot opt sbin stand tcb ter test tmp tmp_mnt usr
var
sftp> cd /var
sftp> ls
It is listing contents of var
entry in /etc/passwd is
ganesh:*:148:20:chrooted user:/newroot/./home/ganesh:/opt/ssh/etc/sftponly
I noted that I don't see any files under /newroot/home/ganesh.
What could be the issue? how to resolve it?
Ganesh.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 06:12 AM
тАО12-09-2008 06:12 AM
Re: sftp with chroot environment issue - need help
There had to be an error during setup.
The tests you show indicate chroot configuration did not happen for this user at all.
I'd run thought the setup again and record the error. If you post that it might be the key to a solution.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 06:40 AM
тАО12-09-2008 06:40 AM
Re: sftp with chroot environment issue - need help
I tried reconfiguring also. result is same.
But I am not seeing any error and the script shows it is finished
My requirement is here.
=======================
Create a user called "test" with only sftp access(no ssh). This user should be restricted within his home dir(/home/test). He should not browse or view beyond his home directory.
Could someone give steps/commands to do the above. Either with help of ssh_chroot_setup.sh script or without this script(means by commands)
Thanks in advance.
Ganesh.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 07:56 AM
тАО12-09-2008 07:56 AM
SolutionSince March 2008, OpenSSH has a internal chroot feature for the sftp server and it has been included in HP-UX Secure Shell 5.xx and up, I have 5.10. This makes chrooting SFTP dead easy.
You simply have to add this to sshd_config:
Subsystem sftp internal-sftp
ChrootDirectory /opt/anonftp
And you're done. No need to copy any libraries.
Damien posted how to do this here:
http://undeadly.org/cgi?action=article&sid=20080220110039
There's also an article about the feature here:
http://www.debian-administration.org/articles/590
I've been using this for a few months now, and it works well.
To have full logging, you can put:
Subsystem sftp internal-sftp -l VERBOSE
The only drawback with this is that you need to redirect the jailed /dev/log, I have a fix here:
http://omasse.blogspot.com/2008/09/redirecting-chroot-jailed-devlog-to.html
Don't do a ForceComand sftp yet, as the loggin will not work. There's a bugzilla entry for this, and it has been fixed. We need to wait for HP-UX Secure Shell to sync with openSSH.
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 08:03 AM
тАО12-09-2008 08:03 AM
Re: sftp with chroot environment issue - need help
Will try your suggesstion and update you on the status.
Ganesh.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 08:05 AM
тАО12-09-2008 08:05 AM
Re: sftp with chroot environment issue - need help
To create a limited sftp user, here's a suggested passwd entry:
sftpuser:x:604:307:SFTP Users:/opt/anonftp/./sftpuser:/usr/local/bin/noshell
The home directory has an embedded /./ in case the user decides to use FTP instead (we support both here) but I don't think you need this.
I set noshell to prevent any interactive login for this user, but noshell is not included with HP-UX, you can use /bin/false to get the same result.
I also run the sftp server on a different port and prevent these users from accessing the ssh service on port 22 using DenyGroups, but that's not required. Using /bin/false is good enough for most cases.