Fedora Linux Support Community & Resources Center
  #1  
Old 29th March 2007, 07:37 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
ssh jail

Hello
I have fc6, running kde desktop. I have openssh setup. I have made a jail by using the script found at http://www.fuschlberger.net/programs...p-chroot-jail/
The jail itself works wonderfully. I have one issue.
The client that logs in will need to run ssh because they will be transferring files via winscp3.
I can use winscp3 to log in the server as myself, and it works fine, because I have am not a jailed user.
However, when I log in as the client, winscp gives me a message as follows:
Cannot initialize sftp protocol. Is the host running a SFTP server?
Connection has been unexpectedly closed. Server sent command exit status 1.

I have sftp-server in the jail under the same directory as the system.

I also took a look at Winscp3's log file and it shows this:

2007-03-29 14:35:00.361 Access granted
. 2007-03-29 14:35:00.533 Opened channel for session
. 2007-03-29 14:35:00.533 Started a shell/command
. 2007-03-29 14:35:00.533 --------------------------------------------------------------------------
. 2007-03-29 14:35:00.533 Using SFTP protocol.
. 2007-03-29 14:35:00.533 Doing startup conversation with host.
> 2007-03-29 14:35:00.533 Type: SSH_FXP_INIT, Size: 5, Number: -1
. 2007-03-29 14:35:00.767 Server sent command exit status 1
. 2007-03-29 14:35:00.767 All channels closed. Disconnecting
. 2007-03-29 14:35:00.767 Server closed network connection
* 2007-03-29 14:35:00.783 (ESshFatal) Cannot initialize SFTP protocol. Is the host running a SFTP server?
* 2007-03-29 14:35:00.783 Connection has been unexpectedly closed. Server sent command exit status 1.

I have talked to some people who know alot more about linux than I do, and they said that I need to find out how to run sftp as a non-privileged user. I have proftpd installed as well.
Does anyone know what might be causing this? Or maybe steer me in the right direction to look?
Thanks for the help
  #2  
Old 29th March 2007, 07:47 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
sshd runs /usr/libexec/openssh/sftp-server when you log in with sftp. It needs to be available in the chroot-jail.

Actually, I just ran it on my box, and it works fine. Do you have any errors in /var/log/messages or /var/log/secure on the server?
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy

Last edited by brunson; 29th March 2007 at 07:54 PM.
  #3  
Old 29th March 2007, 08:29 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
I checked /usr/libexec/openssh/sftp-server, it is there. I also checked the jail for it, it is /home/jail/usr/libexec/openshh/sftp-server. Both files appear to be the same.

I tried another login as the client at 15:22.

I took a look at /var/log/messages. Here is what it said:

Mar 29 15:22:18 billing automount[2389]: create_udp_client: hostname lookup failed: No such process.
Mar 29 15:22:18 billing automount[2389]: create_tcp_client: hostname lookup failed: No such process.
Mar 29 15:22:18 billing automount[2389]: lookup_mount: exports lookup failed for .directory

Also checked /var/log/secure:

Mar 29 15:23:46 billing sshd[23345]: Accepted password for medpmgmt from 10.0.164.22 port 4082 ssh2
Mar 29 15:23:46 billing sshd[23345]: pam_unix(sshd:session): session opened for user medpmgmt by (uid=0)
Mar 29 15:23:46 billing sshd[23347]: subsystem request for sftp
Mar 29 15:23:46 billing sudo: medpmgmt : sorry, you must have a tty to run sudo ; TTY=unknown ; PWD=/home/jail/home/medpmgmt ; USER=root ; COMMAND=/usr/sbin/chroot /home/jail /bin/su - medpmgmt -c /usr/libexec/openssh/sftp-server
Mar 29 15:23:46 billing sshd[23345]: pam_unix(sshd:session): session closed for user medpmgmt

Im a little lost on this one.......
Thank you
  #4  
Old 29th March 2007, 08:57 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
Quote:
Originally Posted by viper3two
Mar 29 15:23:46 billing sudo: medpmgmt : sorry, you must have a tty to run sudo
That looks to be a problem, I don't get that message...
Code:
Mar 29 13:51:39 foxtrot sshd[25620]: Accepted password for birdman from 127.0.0.1 port 59368 ssh2
Mar 29 13:51:39 foxtrot sshd[25620]: pam_unix(sshd:session): session opened for user birdman by (uid=0)
Mar 29 13:51:39 foxtrot sshd[25622]: subsystem request for sftp
Mar 29 13:51:39 foxtrot sudo:  birdman : TTY=unknown ; PWD=/home/jail/home/birdman ; USER=root ; COMMAND=/usr/sbin/chroot /home/jail /bin/su - birdman -c /usr/libexec/openssh/sftp-server
Mar 29 13:51:40 foxtrot sshd[25620]: pam_unix(sshd:session): session closed for user birdman
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy
  #5  
Old 29th March 2007, 09:34 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
Brunson, I think I may have got it fixed.
I saw that line about must have a tty to run sudo. Checked sudoers file, there is a line in that file that says "Defaults requiretty".
Pounded that line out and now I can ssh in just fine as the client.
Is that compromising anything by pounding out that line?
Thanks for the help!
  #6  
Old 29th March 2007, 09:39 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
Quote:
Is that compromising anything by pounding out that line?
Not in this case.

If you did an rlogin/ssh to the box and issued a sudo command on the remote command line (i.e. from a remote machine "ssh billing sudo something") sshd would not allocate a terminal and without a terminal you can't turn off echo, so if a password was required it would be visible on the screen as it was typed. Requiretty makes sure this won't happen.

It's in the man page for sudoers.
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy

Last edited by brunson; 29th March 2007 at 09:42 PM.
  #7  
Old 29th March 2007, 09:48 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
Thank you for the help.
  #8  
Old 30th March 2007, 02:12 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
Well...it worked......ONE TIME........and now it is doing the same thing. I have checked all the logs and here is what I am getting:

From Putty:
medpmgmt@10.0.165.102's password:
Last login: Mon Mar 26 12:51:16 2007 from 10.0.164.22
/bin/chroot-shell: Exec format error

From WinScp3:
. 2007-03-30 09:00:20.393 Using SFTP protocol.
. 2007-03-30 09:00:20.393 Doing startup conversation with host.
> 2007-03-30 09:00:20.393 Type: SSH_FXP_INIT, Size: 5, Number: -1
. 2007-03-30 09:00:20.612 Server sent command exit status 126
. 2007-03-30 09:00:20.612 All channels closed. Disconnecting
. 2007-03-30 09:00:20.612 Server closed network connection
* 2007-03-30 09:00:20.612 (ESshFatal) Cannot initialize SFTP protocol. Is the host running a SFTP server?
* 2007-03-30 09:00:20.628 Connection has been unexpectedly closed. Server sent command exit status 126.

I did a google search for "command exit status 126" and here is what I found:
If a command is not found, the child process created to execute it returns
a status of 127. If a command is found but is not executable, the return
status is 126

So that means, to me (and I am really green on ssh right now) that it finds the sftp-server file
but unable to execute it?

I also checked my linux box and the file sftp-sever is in the jail as well as in the normal place:
/usr/libexec/openssh/sftp-server
/home/jail/usr/libexec/openssh/sftp-server

Any ideas on this?

Thank you for the help!
  #9  
Old 30th March 2007, 04:53 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
Client logs are (almost) completely useless. What do you have in the logs on the server? What happens if you log in and try to run /usr/libexec/openssh/sftp-server.
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy

Last edited by brunson; 30th March 2007 at 05:05 PM.
  #10  
Old 30th March 2007, 05:45 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
I logged in the server as me, when I run /usr/libexec/openssh/sftp-server, it just sits there, does nothing. hit ctrl-c and it goes back to the bash prompt.

Checking /var/log/secure and /var/log/messages, I see nothing listed for that event.

I attempted logging in as the client using winscp on my pc. Here is what /var/log/tail secure says:
Mar 30 12:38:27 billing sshd[5916]: pam_unix(sshd:session): session opened for user medpmgmt by (uid=0)
Mar 30 12:38:27 billing sshd[5918]: subsystem request for sftp
Mar 30 12:38:27 billing sudo: medpmgmt : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/chroot /home/jail /bin/su - medpmgmt -c /usr/libexec/openssh/sftp-server
Mar 30 12:38:29 billing sshd[5916]: pam_unix(sshd:session): session closed for user medpmgmt
[root@billing log]#

Its just like he is able to log in fine but pam throws him back out as soon as he logs in......strange.....

Thank you
  #11  
Old 30th March 2007, 06:00 PM
brunson Offline
Registered User
 
Join Date: Jun 2005
Location: Westminster, Colorado
Posts: 2,306
Yep, that's a problem...

Try running "/usr/sbin/chroot /home/jail /bin/su - medpmgmt -c /usr/libexec/openssh/sftp-server" as root. If that works, try runing "sudo /usr/sbin/chroot /home/jail /bin/su - medpmgmt -c /usr/libexec/openssh/sftp-server" as root.
__________________
Registered Linux User #4837
411th in line to get sued by Micro$oft
Quote:
Basically, to learn Unix you learn to understand and apply a small set of key ideas and achieve expertise by expanding both the set of ideas and your ability to apply them - Paul Murphy
  #12  
Old 30th March 2007, 06:45 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
I ran both the commands as root logged into the box. Here is the output

/usr/sbin/chroot /home/jail /bin/su - medpmgmt -c /usr/libexec/openssh/sftp-server
/bin/su: warning: cannot change directory to /home/medpmgmt: Permission denied
/bin/su: /bin/bash: Permission denied

sudo /usr/sbin/chroot /home/jail /bin/su - medpmgmt -c /usr/libexec/openssh/sftp-server
/bin/su: warning: cannot change directory to /home/medpmgmt: Permission denied
/bin/su: /bin/bash: Permission denied

could be a permission issue on that directory then?
  #13  
Old 30th March 2007, 07:17 PM
viper3two Offline
Registered User
 
Join Date: Nov 2006
Posts: 18
I think I talked myself into fixing the problem -)
Or at least I hope I fixed it correctly.
Took a look at the jail, and the ownership is:
user:root
group:root

changed that folder (/home/jail/ ) ownership to:

user:medpmgmt
group:medpmgmt

Now I can ssh in as medpmgmt just fine.
I tried getting out of the jail and I am unable to cd .. up, which is good.

Is this the correct way of solving this?
I just don't want to break the jail or compromise anything.....

Thank you!
  #14  
Old 3rd May 2011, 10:47 PM
avaldez99 Offline
Registered User
 
Join Date: May 2011
Posts: 3
linuxubuntuchrome
Re: ssh jail

I'm have similar issue I get kicked out when i sftp to the centos server and when ssh i get permission denied can anyone help thanks

avaldez@linuxbox01:~$ ssh -v t2@172.16.11.238
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.16.11.238 [172.16.11.238] port 22.
debug1: Connection established.
debug1: identity file /home/avaldez/.ssh/identity type -1
debug1: identity file /home/avaldez/.ssh/id_rsa type -1
debug1: identity file /home/avaldez/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.16.11.238' is known and matches the RSA host key.
debug1: Found key in /home/avaldez/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Trying private key: /home/avaldez/.ssh/identity
debug1: Trying private key: /home/avaldez/.ssh/id_rsa
debug1: Trying private key: /home/avaldez/.ssh/id_dsa
debug1: Next authentication method: password
t2@172.16.11.238's password:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
Permission denied, please try again.
t2@172.16.11.238's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue May 3 12:57:02 2011 from 172.16.10.73
Could not chdir to home directory /home/jail/home/t2: Permission denied
/bin/su: user t2 does not exist
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 172.16.11.238 closed.
Transferred: sent 1824, received 2200 bytes, in 0.0 seconds
Bytes per second: sent 66564.3, received 80285.9
debug1: Exit status 1
avaldez@linuxbox01:~$ clear

avaldez@linuxbox01:~$
avaldez@linuxbox01:~$
avaldez@linuxbox01:~$ sftp -v t2@172.16.11.238
Connecting to 172.16.11.238...
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.16.11.238 [172.16.11.238] port 22.
debug1: Connection established.
debug1: identity file /home/avaldez/.ssh/id_rsa type -1
debug1: identity file /home/avaldez/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.16.11.238' is known and matches the RSA host key.
debug1: Found key in /home/avaldez/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Trying private key: /home/avaldez/.ssh/id_rsa
debug1: Trying private key: /home/avaldez/.ssh/id_dsa
debug1: Next authentication method: password
t2@172.16.11.238's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 1424, received 1848 bytes, in 0.1 seconds
Bytes per second: sent 22679.5, received 29432.3
debug1: Exit status 1
Connection closed




ssh -v t2@172.16.11.238
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.16.11.238 [172.16.11.238] port 22.
debug1: Connection established.
debug1: identity file /home/avaldez/.ssh/identity type -1
debug1: identity file /home/avaldez/.ssh/id_rsa type -1
debug1: identity file /home/avaldez/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.16.11.238' is known and matches the RSA host key.
debug1: Found key in /home/avaldez/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Trying private key: /home/avaldez/.ssh/identity
debug1: Trying private key: /home/avaldez/.ssh/id_rsa
debug1: Trying private key: /home/avaldez/.ssh/id_dsa
debug1: Next authentication method: password
t2@172.16.11.238's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue May 3 14:18:06 2011 from 172.16.10.73
Could not chdir to home directory /home/jail/home/t2: Permission denied
/bin/su: user t2 does not exist
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 172.16.11.238 closed.
Transferred: sent 1696, received 2136 bytes, in 0.0 seconds
Bytes per second: sent 64432.6, received 81148.6
debug1: Exit status 1
avaldez@linuxbox01:~$
  #15  
Old 3rd May 2011, 10:57 PM
bob Offline
Administrator (yeah, back again)
 
Join Date: Jul 2004
Location: Colton, NY; Junction of Heaven & Earth (also Routes 56 & 68).
Age: 71
Posts: 23,130
linuxfirefox
Re: ssh jail

Avaldez99, first of all, don't tag your post onto a dead thread, start your own.
Second, this is a Fedora forum, not Ubuntu. Why are you posting here?

And, finally, read the Posting Rules about multi-posts. Again, this one's closed.
__________________
Linux & Beer - That TOTALLY Computes!
Registered Linux User #362651


Don't use any of my solutions on working computers or near small children.
Closed Thread

Tags
jail, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ChrootDirectory Jail with sftp JPMallory Using Fedora 2 16th September 2008 03:29 PM
put the user in jail environment miniLinux Security and Privacy 5 13th June 2008 04:57 PM
vsftpd TLS/SSL encryption chroot jail wmdejen Servers & Networking 0 28th August 2007 12:58 PM
Sex with girlfriend=10 years in jail..... Shadow Skill Wibble 77 27th December 2006 09:05 AM
vsftpd will not chroot jail users GNU_Gravity Servers & Networking 7 1st November 2005 06:28 AM


Current GMT-time: 07:03 (Wednesday, 28-06-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat