Thread: "Forbidden command" when trying to use sftp-server
Brought to you by:
xystrus
From: Kai H. <th...@ka...> - 2003-07-03 09:47:11
|
Hi there, I recently installed rssh 2.0.3 on my Debian sid (via apt-get) to restrict my www-Admin to sftp only. As long as his shell is set to /bin/bash he can log in via sftp, but with his shell set to /usr/bin/rssh, the connection is immedeately terminated. Syslog states: Jul 3 11:10:43 ignition rssh[6035]: setting log facility to LOG_USER Jul 3 11:10:43 ignition rssh[6035]: allowing scp to all users Jul 3 11:10:43 ignition rssh[6035]: allowing sftp to all users Jul 3 11:10:43 ignition rssh[6035]: setting umask to 022 Jul 3 11:10:43 ignition rssh[6035]: user attempted to execute forbidden commands Jul 3 11:10:43 ignition rssh[6035]: command: /usr/local/libexec/sftp-server The stfp-sever has permissions 755. I do not use a chrooted environment (yet) and did not touch the rssh.conf, so allowscp and allowsftp are both set. Any help would be appreciated. Regards Kai Hanisch -- It is a good idea to be at the console of your machine when twiddling your network restrictions. If you are working remotely, then you can lock yourself out of your machine inadvertently with a missing or missplaced rule. If that happens, you are reduced to using the standard Windows remote administration tool - your car. (Hacking Linux Exposed, p. 484) |
From: Derek M. <co...@pi...> - 2003-07-03 11:27:27
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jul 03, 2003 at 11:49:37AM +0200, Kai Hanisch wrote: > > Hi there, > > I recently installed rssh 2.0.3 on my Debian sid (via apt-get) to > restrict my www-Admin to sftp only. As long as his shell is set to > /bin/bash he can log in via sftp, but with his shell set to > /usr/bin/rssh, the connection is immedeately terminated. Syslog states: 1. Download 2.0.4 from www.pizzashack.org/rssh/downloads.html 2. unpack the sources 3. run configure 4. mail the output of configure to the list. > Jul 3 11:10:43 ignition rssh[6035]: command: /usr/local/libexec/sftp-server Oh, nevermind. The path to sftp-server is hard-coded in the binary for security reasons. You're using a local installation of openssh, but the Debian package for rssh expects it to be installed as /usr/lib/sftp-server, which is where the debian package puts it. You have 2 choices: - install Debian's ssh packages (not recommended) - download rssh as above, and install from sources (recommended) The latter is recommended because you've probably got OpenSSH 3.5 or later installed (which is good, so you can make sure the sshd parameter PermitUserEnvironment is set to no), and because 2.0.4 fixes some bugs in all previous 2.0 releases. - -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/BBL6djdlQoHP510RAkWxAJ0aGrpPhFhNXWqnEJU0Cc4UkppXmACgpE/k vcUVIcDVpq5rkdBaGbA11YI= =BmeS -----END PGP SIGNATURE----- |