scponly und umask *ungelöst: nun rssh*

[Kase]

Hast du eventuell ein Programm installiert, das die Login-Daten der User cached? Veilleicht hat es deswegen nicht funktioniert und irgendwann wurde dann der Cache erneuert und ...

[cRoCoMo]

Hmm... ich wüsste nicht, welches das sein könnte. Speziell dafür hab ich nichts dergleichen zusätzlich installiert; sonst Grundinstallation.

Kurzum: Es funktioniert nun einwandfrei. Chroot-Umgebung für neue User in deren Verzeichnis duplizieren, die Dateien ~/etc/passwd und group anpassen, User in die /etc/rssh.conf einfügen und Rechte aufs ~/incoming bzw. ~/whatever-writable Verzeichnis geben. Und natürlich die richtige Shell zuweisen... Fertig

Danke nochmal Kase für die vielen Logs und sonstige Auszüge aus deiner Konfiguration.... hat (mehr oder weniger) dann doch zur Lösung beigetragen.

Da das ürsprüngliche Problem ja nicht wirklich gelöst wurde, verändere ich den Titel einfach auf *ungelöst: nun rssh*... für die Nachwelt. Hoffe das ist im Sinne der Mods

[Mythran]

Hallo zusammen,

habe ähnliche Probleme, welche ich bis jetzt nicht lösen konnte. Ich hoffe das Ihr vielleicht eine Idee habt woran es liegen könnte.

WinSCP gibt als Fehler folgendes zurück: Cannot initialize SFTP protocol. Is the host running a SFTP server?

Ich habe jetzt schon mehrfach alles umgedreht und neuerstellt aber im Moment fühle ich mich mit meinem Latein am Ende


Vielen vielen Dank

// edit: ohne chroot, sprich ohne den User-Eintrag in /etc/rssh.conf, funktioniert es wunderbar


dpkg -l | grep ssh

Code: Alles auswählen

ii  openssh-blacklist            0.1.1                                list of blacklisted OpenSSH RSA and DSA keys
ii  openssh-client               4.3p2-9etch2                         Secure shell client, an rlogin/rsh/rcp repla
ii  openssh-server               4.3p2-9etch2                         Secure shell server, an rshd replacement
ii  rssh                         2.3.2-2                              Restricted shell allowing only scp, sftp, cv

Auszug aus /etc/rssh.conf

Code: Alles auswählen

logfacility = LOG_USER

#allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

umask = 022

user=testuser:027:00010:/srv/data/incoming/testuser

Auszug aus /etc/passwd

Code: Alles auswählen

testuser:x:1002:1003::/srv/data/incoming/testuser:/usr/bin/rssh

Auszug aus /srv/data/incoming/testuser/etc/passwd

Code: Alles auswählen

testuser:x:1002:1003::/srv/data/incoming/testuser:/usr/bin/rssh

ls -laR /srv/data/incoming/testuser

Code: Alles auswählen

/srv/data/incoming/testuser:
total 28K
drwxr-x--- 7 root     testuser 4.0K 2008-07-18 13:29 .
drwxr-xr-x 3 root     root     4.0K 2008-07-18 13:29 ..
drwxr-xr-x 2 root     root     4.0K 2008-07-18 13:29 dev
drwxr-xr-x 2 root     root     4.0K 2008-07-18 13:29 etc
drwxr-x--- 2 testuser testuser 4.0K 2008-07-18 13:40 incoming
drwxr-xr-x 2 root     root     4.0K 2008-07-18 13:29 lib
drwxr-xr-x 4 root     root     4.0K 2008-07-18 13:29 usr

/srv/data/incoming/testuser/dev:
total 8.0K
drwxr-xr-x 2 root root     4.0K 2008-07-18 13:29 .
drwxr-x--- 7 root testuser 4.0K 2008-07-18 13:29 ..
crw-rw-rw- 1 root root     1, 3 2008-07-18 13:29 null

/srv/data/incoming/testuser/etc:
total 44K
drwxr-xr-x 2 root root     4.0K 2008-07-18 13:29 .
drwxr-x--- 7 root testuser 4.0K 2008-07-18 13:29 ..
-rw-r--r-- 1 root root      24K 2008-07-18 13:29 ld.so.cache
-rw-r--r-- 1 root root       33 2008-07-18 13:29 ld.so.conf
-rw-r--r-- 1 root root      475 2008-07-18 13:29 nsswitch.conf
-rw-r--r-- 1 root root     1.3K 2008-07-18 13:29 passwd

/srv/data/incoming/testuser/incoming:
total 8.0K
drwxr-x--- 2 testuser testuser 4.0K 2008-07-18 13:40 .
drwxr-x--- 7 root     testuser 4.0K 2008-07-18 13:29 ..

/srv/data/incoming/testuser/lib:
total 1.6M
drwxr-xr-x 2 root root     4.0K 2008-07-18 13:29 .
drwxr-x--- 7 root testuser 4.0K 2008-07-18 13:29 ..
-rw-r--r-- 1 root root     7.8K 2008-07-18 13:29 libcom_err.so.2
-rw-r--r-- 1 root root      23K 2008-07-18 13:29 libcrypt.so.1
-rwxr-xr-x 1 root root     1.3M 2008-07-18 13:29 libc.so.6
-rw-r--r-- 1 root root      11K 2008-07-18 13:29 libdl.so.2
-rw-r--r-- 1 root root      84K 2008-07-18 13:29 libnsl.so.1
-rw-r--r-- 1 root root      35K 2008-01-21 10:33 libnss_compat-2.3.6.so
lrwxrwxrwx 1 root root       22 2008-07-18 13:29 libnss_compat.so.2 -> libnss_compat-2.3.6.so
-rw-r--r-- 1 root root      43K 2008-01-21 10:33 libnss_files-2.3.6.so
lrwxrwxrwx 1 root root       21 2008-07-18 13:29 libnss_files.so.2 -> libnss_files-2.3.6.so
-rw-r--r-- 1 root root      75K 2008-07-18 13:29 libresolv.so.2
-rw-r--r-- 1 root root      11K 2008-07-18 13:29 libutil.so.1

/srv/data/incoming/testuser/usr:
total 16K
drwxr-xr-x 4 root root     4.0K 2008-07-18 13:29 .
drwxr-x--- 7 root testuser 4.0K 2008-07-18 13:29 ..
drwxr-xr-x 2 root root     4.0K 2008-07-18 13:29 bin
drwxr-xr-x 3 root root     4.0K 2008-07-18 13:29 lib

/srv/data/incoming/testuser/usr/bin:
total 80K
drwxr-xr-x 2 root root 4.0K 2008-07-18 13:29 .
drwxr-xr-x 4 root root 4.0K 2008-07-18 13:29 ..
-rwxr-xr-x 1 root root  24K 2008-07-18 13:29 rssh
-rwxr-xr-x 1 root root  48K 2008-07-18 13:29 scp

/srv/data/incoming/testuser/usr/lib:
total 2.4M
drwxr-xr-x 3 root root 4.0K 2008-07-18 13:29 .
drwxr-xr-x 4 root root 4.0K 2008-07-18 13:29 ..
-rw-r--r-- 1 root root 1.5M 2008-07-18 13:29 libcrypto.so.0.9.8
-rw-r--r-- 1 root root 118K 2008-07-18 13:29 libgssapi_krb5.so.2
-rw-r--r-- 1 root root 143K 2008-07-18 13:29 libk5crypto.so.3
-rw-r--r-- 1 root root 532K 2008-07-18 13:29 libkrb5.so.3
-rw-r--r-- 1 root root  16K 2008-07-18 13:29 libkrb5support.so.0
-rw-r--r-- 1 root root  88K 2008-07-18 13:29 libz.so.1
drwxr-xr-x 2 root root 4.0K 2008-07-18 13:29 openssh

/srv/data/incoming/testuser/usr/lib/openssh:
total 56K
drwxr-xr-x 2 root root 4.0K 2008-07-18 13:29 .
drwxr-xr-x 3 root root 4.0K 2008-07-18 13:29 ..
-rwxr-xr-x 1 root root  45K 2008-07-18 13:29 sftp-server

ls -la /usr/lib/rssh/

Code: Alles auswählen

-rwsr-xr-x  1 root root  23K 2007-02-16 05:51 rssh_chroot_helper

rssh -v

Code: Alles auswählen

rssh 2.3.2
Copyright 2002-5 Derek D. Martin <rssh-discuss at lists dot sourceforge dot net>

    rssh config file = /etc/rssh.conf
  chroot helper path = /usr/lib/rssh/rssh_chroot_helper
     scp binary path = /usr/bin/scp
  sftp server binary = /usr/lib/openssh/sftp-server
     cvs binary path = /usr/bin/cvs
   rdist binary path = /usr/bin/rdist
   rsync binary path = /usr/bin/rsync

/usr/sbin/mkchroot.sh

Code: Alles auswählen

#!/bin/sh

#####################################################################
##
## Diese Datei wurde fuer Debian 4.0 angepasst
## Original Datei ist zu finden unter /usr/share/doc/rssh/examples/
##
#####################################################################
##
## mkchroot.sh - set up a chroot jail.
##
## This script is written to work for Red Hat 8/9 systems, but may work on
## other systems.  Or, it may not...  In fact, it may not work at all.  Use at
## your own risk.  :)
##

fail() {

        echo "`basename $0`: fatal error" >&2
        echo "$1" >&2
        exit $2
}

#####################################################################
#
# Initialize - handle command-line args, and set up variables and such.
#
# $1 is the directory to make the root of the chroot jail (required)
# $2, if given, is the user who should own the jail (optional)
# $3, if given,  is the permissions on the directory (optional)
#

if [ -z "$1" ]; then
        echo "`basename $0`: error parsing command line" >&2
        echo "  You must specify a directory to use as the chroot jail." >&2
        exit 1
fi

jail_dir="$1"

if [ -n "$2" ]; then
        owner="$2"
fi

if [ -n "$3" ]; then
        perms="$3"
fi


#####################################################################
#
# build the jail
#

# now make the directory

if [ ! -d "$jail_dir" ]; then
        echo "Creating root jail directory."
        mkdir -p "$jail_dir"

        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error creating jail directory." >&2
                echo "Check permissions on parent directory." >&2
                exit 2
        fi
fi

if [ -n "$owner" -a `whoami` = "root" ]; then
        echo "Setting owner of jail."
        chown "$owner" "$jail_dir"
        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error changing owner of jail directory." >&2
                exit 3
         fi
else
        echo -e "NOT changing owner of root jail. \c"
        if [ `whoami` != "root" ]; then
                echo "You are not root."
        else
                echo
        fi
fi

if [ -n "$owner" -a `whoami` = "root" ]; then
        echo "Setting permissions of jail."
        chmod "$perms" "$jail_dir"
        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error changing perms of jail directory." >&2
                exit 3
         fi
else
        echo -e "NOT changing perms of root jail. \c"
        if [ `whoami` != "root" ]; then
                echo "You are not root."
        else
                echo
        fi
fi

# copy SSH files

# Anpassung fuer Debian 4.0
#
scp_path="/usr/bin/scp"
# sftp_server_path="/usr/libexec/openssh/sftp-server"
sftp_server_path="/usr/lib/openssh/sftp-server"
rssh_path="/usr/bin/rssh"
# chroot_helper_path="/usr/libexec/rssh_chroot_helper"
#chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"

for jail_path in `dirname "$jail_dir$scp_path"` `dirname "$jail_dir$sftp_server_path"` `dirname "$jail_dir$chroot_helper_path"`; do

        echo "setting up $jail_path"

        if [ ! -d "$jail_path" ]; then
                mkdir -p "$jail_path" || \
                        fail "Error creating $jail_path. Exiting." 4
        fi

done

cp "$scp_path" "$jail_dir$scp_path" || \
        fail "Error copying $scp_path. Exiting." 5
cp "$sftp_server_path" "$jail_dir$sftp_server_path" || \
        fail "Error copying $sftp_server_path. Exiting." 5
cp "$rssh_path" "$jail_dir$rssh_path" || \
        fail "Error copying $rssh_path. Exiting." 5

# Anpassung fuer Debian 4.0
# - rssh_chroot_helper wird nicht benoetigt
#
#cp "$chroot_helper_path" "$jail_dir$chroot_helper_path" || \
#       fail "Error copying $chroot_helper_path. Exiting." 5


#####################################################################
#
# identify and copy libraries needed in the jail
#

for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do
        echo "Copying libraries for $prog."
        libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
        for lib in $libs; do
                mkdir -p "$jail_dir$(dirname $lib)"
                echo -e "\t$lib"
                cp "$lib" "$jail_dir$lib"
        done
done

echo "copying name service resolution libraries..."
tar -cf - /lib/libnss_compat* /lib/libnss_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/'

#####################################################################
#
# copy config files for the dynamic linker, nsswitch.conf, and the passwd file
#

echo "Setting up /etc in the chroot jail"
mkdir -p "$jail_dir/etc"
cp /etc/nsswitch.conf "$jail_dir/etc/"
cp /etc/passwd "$jail_dir/etc/"
cp /etc/ld.* "$jail_dir/etc/"

echo -e "Chroot jail configuration completed."
echo -e "\nNOTE: if you are not using the passwd file for authentication,"
echo -e "you may need to copy some of the /lib/libnss_* files into the jail.\n"


#####################################################################
#
# set up /dev/log
#

mkdir -p "$jail_dir/dev"

# Anpassung fuer Debian 4.0
# - erstellen von dev/null im jail
#
echo "Creating dev/null in jail directory."
mknod -m 666 "$jail_dir/dev/null" c 1 3
# - erstellen des incoming Ordners
echo -e "Creating incoming directory.\n"
mkdir "$jail_dir/incoming"
chown "$owner:$owner" "$jail_dir/incoming"
chmod "750" "$jail_dir/incoming"



echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
echo -e "with appropriate options to log to $jail_dir/dev/log.  In most cases,"
echo -e "you will need to start syslog as:\n"
echo -e "   /sbin/syslogd -a $jail_dir/dev/log\n"

echo -e "NOTE: we make no guarantee that ANY of this will work for you... \c"
echo -e "if it\ndoesn't, you're on your own.  Sorry!\n"

Auszug logs

Code: Alles auswählen

==> /var/log/auth.log <==
Jul 18 13:55:01 sshd[18565]: Accepted password for testuser from 80.132.57.252 port 1931 ssh2
Jul 18 13:55:01 sshd[18567]: (pam_unix) session opened for user testuser by (uid=0)
Jul 18 13:55:01 sshd[18567]: subsystem request for sftp
Jul 18 13:55:02 sshd[18567]: (pam_unix) session closed for user testuser

==> /var/log/syslog <==
Jul 18 13:55:01 rssh[18568]: setting log facility to LOG_USER
Jul 18 13:55:01 rssh[18568]: allowing sftp to all users
Jul 18 13:55:01 rssh[18568]: setting umask to 022
Jul 18 13:55:01 rssh[18568]: line 51: configuring user testuser
Jul 18 13:55:01 rssh[18568]: setting testuser's umask to 027
Jul 18 13:55:01 rssh[18568]: allowing sftp to user testuser
Jul 18 13:55:01 rssh[18568]: chrooting testuser to /srv/data/incoming/testuser
Jul 18 13:55:01 rssh[18568]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"

[Mythran]

... und hier kommt die Lösung für das Problem : D

Ich hatte vergessen zu erwähnen das ich ein 64bit System habe und hier lag das Problem.

1#: Hatte ich im Script mkchroot.sh chroot_helper_path einkommentiert. Also erstmal auskommentieren ...

2#: Gibt es eine Lib ld-linux-x86-64.so.2 welche unter /lib64 gesucht wird. /lib64 ist ein symlink auf /lib. Ein ldd auf rssh_chroot_helper macht es deutlich:

ldd /usr/lib/rssh/rssh_chroot_helper

Code: Alles auswählen

        libc.so.6 => /lib/libc.so.6 (0x00002b126f541000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b126f429000)

Das Script bekommt diese Lib beim Parsen nicht mit und kopiert natürlich dann diese Lib nicht.

Ich habe im chroot einen symlink von <chroot>/lib64 auf <chroot>/lib erstellt und einfach die fehlende Lib nach <chroot>/lib kopiert. Danach noch paar Zeilen Code in das Script getippert und schon funktioniert alles wieder.

Ich hoffe ich kann dem ein oder anderen hiermit helfen.

Zum schluß noch mein aktuelles Script. Vielleicht kann es jemand gebrauchen.

Beste Grüße



mkchroot.sh

Code: Alles auswählen

#!/bin/sh

#####################################################################
##
## Diese Datei wurde fuer Debian 4.0 x86-64 angepasst
## Original Datei ist zu finden unter /usr/share/doc/rssh/examples/
##
#####################################################################
##
## mkchroot.sh - set up a chroot jail.
##
## This script is written to work for Red Hat 8/9 systems, but may work on
## other systems.  Or, it may not...  In fact, it may not work at all.  Use at
## your own risk.  :)
##

fail() {

        echo "`basename $0`: fatal error" >&2
        echo "$1" >&2
        exit $2
}

#####################################################################
#
# Initialize - handle command-line args, and set up variables and such.
#
# $1 is the directory to make the root of the chroot jail (required)
# $2, if given, is the user who should own the jail (optional)
# $3, if given,  is the permissions on the directory (optional)
#

if [ -z "$1" ]; then
        echo "`basename $0`: error parsing command line" >&2
        echo "  You must specify a directory to use as the chroot jail." >&2
        exit 1
fi

jail_dir="$1"

if [ -n "$2" ]; then
        owner="$2"
fi

if [ -n "$3" ]; then
        perms="$3"
fi


#####################################################################
#
# build the jail
#

# now make the directory

if [ ! -d "$jail_dir" ]; then
        echo "Creating root jail directory."
        mkdir -p "$jail_dir"

        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error creating jail directory." >&2
                echo "Check permissions on parent directory." >&2
                exit 2
        fi
fi

if [ -n "$owner" -a `whoami` = "root" ]; then
        echo "Setting owner of jail."
#       chown "$owner" "$jail_dir"
        chown "root:$owner" "$jail_dir"
        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error changing owner of jail directory." >&2
                exit 3
         fi
else
        echo -e "NOT changing owner of root jail. \c"
        if [ `whoami` != "root" ]; then
                echo "You are not root."
        else
                echo
        fi
fi

if [ -n "$owner" -a `whoami` = "root" ]; then
        echo "Setting permissions of jail."
#       chmod "$perms" "$jail_dir"
        chmod 750 "$jail_dir"
        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error changing perms of jail directory." >&2
                exit 3
         fi
else
        echo -e "NOT changing perms of root jail. \c"
        if [ `whoami` != "root" ]; then
                echo "You are not root."
        else
                echo
        fi
fi

# copy SSH files

# Anpassung fuer Debian 4.0 x86-64 - db
#
scp_path="/usr/bin/scp"
# sftp_server_path="/usr/libexec/openssh/sftp-server"
sftp_server_path="/usr/lib/openssh/sftp-server"
rssh_path="/usr/bin/rssh"
# chroot_helper_path="/usr/libexec/rssh_chroot_helper"
chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"

for jail_path in `dirname "$jail_dir$scp_path"` `dirname "$jail_dir$sftp_server_path"` `dirname "$jail_dir$chroot_helper_path"`; do

        echo "setting up $jail_path"

        if [ ! -d "$jail_path" ]; then
                mkdir -p "$jail_path" || \
                        fail "Error creating $jail_path. Exiting." 4
        fi

done

cp "$scp_path" "$jail_dir$scp_path" || \
        fail "Error copying $scp_path. Exiting." 5
cp "$sftp_server_path" "$jail_dir$sftp_server_path" || \
        fail "Error copying $sftp_server_path. Exiting." 5
cp "$rssh_path" "$jail_dir$rssh_path" || \
        fail "Error copying $rssh_path. Exiting." 5

# Anpassung fuer Debian 4.0 x86-64 - db
# - rssh_chroot_helper wird nicht benoetigt
#
#cp "$chroot_helper_path" "$jail_dir$chroot_helper_path" || \
#       fail "Error copying $chroot_helper_path. Exiting." 5


#####################################################################
#
# identify and copy libraries needed in the jail
#

for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do
        echo "Copying libraries for $prog."
        libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
        echo $libs
        for lib in $libs; do
                mkdir -p "$jail_dir$(dirname $lib)"
                echo -e "\t$lib"
                cp "$lib" "$jail_dir$lib"
        done
done

echo "copying name service resolution libraries..."
tar -cf - /lib/libnss_compat* /lib/libnss_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/'

#####################################################################
#
# copy config files for the dynamic linker, nsswitch.conf, and the passwd file
#

echo "Setting up /etc in the chroot jail"
mkdir -p "$jail_dir/etc"
cp /etc/nsswitch.conf "$jail_dir/etc/"
cp /etc/passwd "$jail_dir/etc/"
cp /etc/ld.* "$jail_dir/etc/"

echo -e "Chroot jail configuration completed."
echo -e "\nNOTE: if you are not using the passwd file for authentication,"
echo -e "you may need to copy some of the /lib/libnss_* files into the jail.\n"


#####################################################################
#
# set up /dev/log
#

mkdir -p "$jail_dir/dev"

# Anpassung fuer Debian 4.0 x86-64 - db
# - erstellen von dev/null im jail
#
echo "Creating dev/null in jail directory."
mknod -m 666 "$jail_dir/dev/null" c 1 3
# - erstellen des incoming Ordners
echo -e "Creating incoming directory.\n"
mkdir "$jail_dir/incoming"
chown "$owner:$owner" "$jail_dir/incoming"
chmod "750" "$jail_dir/incoming"
#
# lib die von rssh_chroot_helper benoetigt wird
# das parsen der libs durch ldd hier im script
# funktioniert nicht mit symlinks
cp "/lib/ld-linux-x86-64.so.2" "$jail_dir/lib"
ln -s lib "$jail_dir/lib64"



echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
echo -e "with appropriate options to log to $jail_dir/dev/log.  In most cases,"
echo -e "you will need to start syslog as:\n"
echo -e "   /sbin/syslogd -a $jail_dir/dev/log\n"

echo -e "NOTE: we make no guarantee that ANY of this will work for you... \c"
echo -e "if it\ndoesn't, you're on your own.  Sorry!\n"