Thread: Re: RHEL 5.5 - LDAP user unable to do chrooted Openssh SFTP with restricted login shell (/usr/bin/r
Brought to you by:
xystrus
Menu
▾
▴
rssh-discuss
|
From: Nico Kadel-G. <nk...@gm...> - 2012-01-04 06:44:42
|
2012/1/4 Sandeep Dudam संदीप दुडम <san...@gm...>: > Hello All, > > After goggling a lot, I finally thought to post this. > ----------------------------------------------------- > > setup: sftp & rssh > > As soon as a ldap user login, it says "Connection Closed". > See the DEBUG-3 level ouput of sftp command attached. > > When following line of /etc/rssh.conf file is commented (commenting > chrootpath) then login works but I lost jailing. > This is working fine in RHEL 4. Details are mentioned below. > > chrootpath = /opt/mycomp/ds/xfer/public/ > > =============================================================================================== > > RHEL - 5.5 has following openssh & rssh package - Hold it *right* there. RHEL 5.5 is obsolete with missing security patches and a very old codebase. You should *at least* update to RHEL 5.7, with all the OpenLDAP and OpenSSH minor patches and the major rsync update. Burning time debugging 5.5 is a waste, because many such bugs have *already been fixed*. That said, if you can, jump to RHEL 6 with all those updates as well, especially the major upgrade to OpenSSH with proper GSSAPI support to play well with a Kerberized LDAP. > Linux pudslx134 2.6.18-274.3.1.el5PAE #1 SMP Fri Aug 26 18:52:57 EDT 2011 > i686 athlon i386 GNU/Linux > > Red Hat Enterprise Linux Server release 5.5 (Tikanga) > > > OpenSSH & rssh packages > ----------------------- > openssh-4.3p2-41.el5_5.1 > openssh-server-4.3p2-41.el5_5.1 > openssh-clients-4.3p2-41.el5_5.1 > rssh-2.3.2-1 (Also tried upgarding rssh to rssh-2.3.3-1.i386.rpm but > no sucess) > > /etc/rssh.conf > -------------- > logfacility = LOG_USER > allowsftp > umask = 022 > chrootpath = /opt/mycomp/ds/xfer/public/ > > > /etc/sshd/sshd_config > --------------------- > Protocol 2 > SyslogFacility AUTHPRIV > PermitRootLogin no > UsePAM yes > PasswordAuthentication no > X11Forwarding yes > ClientAliveInterval 30 > Banner /etc/banner > Subsystem sftp /usr/libexec/openssh/sftp-server > > > /etc/pam.d/system-auth > ---------------------- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > #password requisite pam_cracklib.so try_first_pass retry=3 type= > password requisite pam_passwdqc.so enforce=users retry=3 > min=disabled,disabled,disabled,8,8 > #password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok remember=7 > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > > Persmissions on the chroot folder - > ----------------------------------- > pudslx134@/opt/mycomp/ds/xfer > #root# ls -l > > dr-xr-xr-x 12 root other 4096 Dec 21 03:40 public > > > pudslx134@/opt/mycomp/ds/xfer/public [494] #root# ls -l -R > .: > total 40 > drwxrwxr-x 2 root root 4096 Dec 21 03:40 bin > drwxrwxr-x 2 root root 4096 Dec 21 03:40 dev > drwxrwxr-x 3 root root 4096 Dec 29 05:00 etc > drwxrwxr-x 3 root root 4096 Dec 21 03:40 home > drwxrwxr-x 2 ftp other 4096 Jun 19 2011 letter > drwxrwxr-x 2 root root 4096 Dec 21 03:40 lib > drwxrwsr-x 2 ftp other 4096 Dec 28 04:00 pcanal > drwxrwxr-x 2 ftp other 4096 Dec 29 01:45 public > drwxrwxr-x 3 admin ds_system 4096 Dec 21 03:23 update_data > drwxrwxr-x 5 root root 4096 Dec 21 03:40 usr > > ./bin: > total 0 > > ./dev: > total 0 > crw-rw-rw- 1 root root 1, 3 Dec 21 03:40 null > > ./etc: > total 52 > -rw-r--r-- 1 root root 914 Dec 21 03:40 group > -rw-r--r-- 1 root root 68 Dec 21 03:40 hosts > -rw-r--r-- 1 root root 25437 Dec 21 03:40 ld.so.cache > -rw-r--r-- 1 root root 28 Dec 21 03:40 ld.so.conf > drwxr-xr-x 2 root root 4096 Dec 14 2010 ld.so.conf.d > -rw-r--r-- 1 root root 1786 Dec 29 04:55 nsswitch.conf > -rw-r--r-- 1 root root 2535 Dec 21 03:40 passwd > > ./etc/ld.so.conf.d: > total 0 > > ./home: > total 4 > drwxrwxr-x 2 root other 4096 Dec 21 03:40 ftpusers > > ./home/ftpusers: > total 0 > > ./letter: > total 0 > > ./lib: > total 4048 > -rwxr-xr-x 1 root root 128624 Dec 21 03:41 ld-linux.so.2 > -rwxr-xr-x 1 root root 1702624 Dec 21 03:41 libc.so.6 > -rwxr-xr-x 1 root root 6300 Dec 21 03:40 libcom_err.so.2 > -rwxr-xr-x 1 root root 47712 Dec 21 03:40 libcrypt.so.1 > -rwxr-xr-x 1 root root 1315616 Dec 21 03:40 libcrypto.so.6 > -rwxr-xr-x 1 root root 18812 Dec 21 03:41 libdl.so.2 > -rwxr-xr-x 1 root root 6596 Dec 21 03:41 libkeyutils.so.1 > -rwxr-xr-x 1 root root 107924 Dec 21 03:40 libnsl.so.1 > -rwxr-xr-x 1 root root 36416 Dec 21 03:40 libnss_compat-2.5.so > -rwxr-xr-x 1 root root 36416 Dec 21 03:40 libnss_compat.so.2 > -rwxr-xr-x 1 root root 50848 Dec 21 03:40 libnss_files-2.5.so > -rwxr-xr-x 1 root root 50848 Dec 21 03:40 libnss_files.so.2 > -rwxr-xr-x 1 root root 131508 Dec 21 03:41 libpthread.so.0 > -rwxr-xr-x 1 root root 78824 Dec 21 03:40 libresolv.so.2 > -rwxr-xr-x 1 root root 91892 Dec 21 03:41 libselinux.so.1 > -rwxr-xr-x 1 root root 243928 Dec 21 03:41 libsepol.so.1 > -rwxr-xr-x 1 root root 13492 Dec 21 03:40 libutil.so.1 > > ./pcanal: > total 56 > -rw-rw-r-- 1 ftp other 6328 Jun 19 2011 op.cfg > -rw-rw-r-- 1 ftp other 417 Jun 19 2011 stat.cfg > > ./public: > total 92 > -rw-r--r-- 1 rsync ds_system 397 Dec 21 03:42 id_rsa.pub > -rw-rw-r-- 1 admin ds_system 80160 Dec 27 03:07 rcvfile1.raw.old > -rw-rw-r-- 1 admin ds_system 80 Jun 19 2011 xmtfile1.xfr > > ./update_data: > total 4 > drwxrwxr-x 2 admin ds_system 4096 Jun 19 2011 updated > > ./update_data/updated: > total 0 > > ./usr: > total 12 > drwxrwxr-x 2 root root 4096 Dec 21 03:40 bin > drwxrwxr-x 2 root root 4096 Dec 21 03:40 lib > drwxrwxr-x 3 root root 4096 Dec 21 03:40 libexec > > ./usr/bin: > total 108 > -rwxr-xr-x 1 root root 18988 Dec 21 03:40 rssh > -rwxr-xr-x 1 root root 84620 Dec 21 03:40 sftp > > ./usr/lib: > total 2600 > -rwxr-xr-x 1 root root 184812 Dec 21 03:40 libgssapi_krb5.so.2 > -rwxr-xr-x 1 root root 155640 Dec 21 03:40 libk5crypto.so.3 > -rwxr-xr-x 1 root root 611692 Dec 21 03:40 libkrb5.so.3 > -rwxr-xr-x 1 root root 32056 Dec 21 03:41 libkrb5support.so.0 > -rwxr-xr-x 1 root root 226544 Dec 21 03:41 libnspr4.so > -rwxr-xr-x 1 root root 1203764 Dec 21 03:40 libnss3.so > -rwxr-xr-x 1 root root 101180 Dec 21 03:41 libnssutil3.so > -rwxr-xr-x 1 root root 14008 Dec 21 03:41 libplc4.so > -rwxr-xr-x 1 root root 9944 Dec 21 03:41 libplds4.so > -rwxr-xr-x 1 root root 73836 Dec 21 03:40 libz.so.1 > > ./usr/libexec: > total 52 > drwxrwxr-x 2 root root 4096 Dec 21 03:40 openssh > -rwsr-xr-x 1 root root 47783 Dec 21 03:40 rssh_chroot_helper > > ./usr/libexec/openssh: > total 56 > -rwxr-xr-x 1 root root 50432 Dec 21 03:40 sftp-server > > ------------------------------------------------------------------ > > Details of LDAP user trying to login - ftpuser1 > ----------------------------------------------- > #root# ldapsearch uid=ftpuser1 > > # extended LDIF > # > # LDAPv3 > # base <dc=mycomp,dc=com> (default) with scope subtree > # filter: uid=ftpuser1 # requesting: ALL # > > # ftpuser1, People, mycomp.com > dn: uid=ftpuser1,ou=People,dc=mycomp,dc=com > uid: ftpuser1 > cn: ftpuser1 > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > userPassword:: UEA1NXcwcmQ= > loginShell: /usr/bin/rssh > uidNumber: 2018 > gidNumber: 502 > homeDirectory: /opt/mycomp/ds/xfer/public/public > shadowLastChange: 15332 > shadowWarning: 7 > shadowMin: 0 > shadowMax: 99999 > gecos: ftpuser1 user > description: ftpuser1 user > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > ============================================================================================== > > RHEL - 4 has following openssh & rssh package - Rest of the setup is same. > > This is working perfectly fine here. > > Linux pudslx107 2.6.9-100.ELsmp #1 SMP Tue Feb 1 12:17:32 EST 2011 i686 > athlon i386 GNU/Linux Red Hat Enterprise Linux ES release 4 (Nahant Update > 8) > > > openssh-server-3.9p1-11.el4_7 > openssh-clients-3.9p1-11.el4_7 > openssh-3.9p1-11.el4_7 > rssh-2.3.2-1 > > > Debug logs are attached here. > > Thanks in advance. > > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > rssh-discuss mailing list > rss...@li... > https://lists.sourceforge.net/lists/listinfo/rssh-discuss > |
Thanks for helping keep SourceForge clean.
X