Thread: trouble with chroot and sftp
Brought to you by:
xystrus
From: John R. <joh...@hm...> - 2013-07-17 19:17:56
|
Hello, I am trying to get chroot to work with rssh for sftp. sftp works fine for users who use rssh as their shell, but only when chroot is not involved. If I uncomment chrootpath and set it to what should be a valid chroot path, sftp logins will terminate immediately after I enter the SFTP password. If you know how to solve the above problem, great, but I'm more interested in getting some useful logs that will help me troubleshoot this problem. The only log entry that goes to the syslog is this one, which doesn't seem very interesting: rssh[22313]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server" My question is, how do I get rssh to produce a useful error here? Thanks.! And here's some additional logging that I have, although I don't personally see much there. rssh -v rssh 2.3.4 And here's some additional logging that I have, although I don't personally see much value in either. auth.log shows that the password was accepted, but that's about it. Jul 17 14:23:41 myserver sshd[22611]: Accepted password for TEST_SFTP from 10.100.11.3 port 53593 ssh2 Jul 17 14:23:41 myserver sshd[22611]: pam_unix(sshd:session): session opened for user TEST_SFTP by (uid=0) Jul 17 14:23:42 myserver sshd[22755]: subsystem request for sftp by user TEST_SFTP Jul 17 14:23:42 myserver sshd[22755]: Received disconnect from 10.100.11.3: 11: disconnected by user Jul 17 14:23:42 myserver sshd[22611]: pam_unix(sshd:session): session closed for user TEST_SFTP And here is the output of sftp -v myserver, on the client side. sftp -v TEST_SFTP@ironman OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to ironman [10.100.10.116] port 22. debug1: Connection established. debug1: identity file /home/jwr/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/jwr/.ssh/id_rsa-cert type -1 debug1: identity file /home/jwr/.ssh/id_dsa type -1 debug1: identity file /home/jwr/.ssh/id_dsa-cert type -1 debug1: identity file /home/jwr/.ssh/id_ecdsa type -1 debug1: identity file /home/jwr/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 73:4d:12:ab:20:0a:59:0d:e7:6a:1d:41:71:50:eb:7c debug1: Host 'ironman' is known and matches the ECDSA host key. debug1: Found key in /home/jwr/.ssh/known_hosts:88 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/jwr/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Trying private key: /home/jwr/.ssh/id_dsa debug1: Trying private key: /home/jwr/.ssh/id_ecdsa debug1: Next authentication method: password TEST_SFTP@ironman's password: debug1: Authentication succeeded (password). Authenticated to ironman ([10.100.10.116]:22). debug1: channel 0: new [client-session] debug1: Requesting no-...@op... debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending subsystem: sftp debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eo...@op... reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK Transferred: sent 2232, received 1648 bytes, in 0.4 seconds Bytes per second: sent 6158.0, received 4546.7 debug1: Exit status 1 Connection closed |
From: Derek M. <co...@pi...> - 2013-07-17 21:01:23
|
On Wed, Jul 17, 2013 at 02:47:46PM -0400, John Robison wrote: [...] > I uncomment chrootpath and set it to what should be a valid chroot path, > sftp logins will terminate immediately after I enter the SFTP password. > > If you know how to solve the above problem, great, but I'm more interested > in getting some useful logs that will help me troubleshoot this problem. Your problem (or rather, both of them) is that your jail is not set up correctly. You can't get the logs once you're chrooted until the chroot jail is set up properly. The documentation that comes with rssh goes to great detail to describe how to do this properly. The relevant documentation is in the tarball, if you installed from source, or usually installed in /usr/share/doc/rssh or some similar such distribution-dependent path, and is in the file called CHROOT. Some distributions also put a system-dependent script there, to help you set up a chroot jail. Alas, the process IS system dependent, which is why rssh doesn't do this for you. If you've read the docs and you still can't figure out how to make it work, the list archives are full of solutions to this problem; in fact it is very nearly the only thing that anyone ever posts about. One of them is bound to help you. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |