Redhat SSH Access

Is there an sftp package that can be used which is more flexible then the ssh internal ftp server. I have been tasked with providing an /srv/ftp/ directory which includes

mount -bind other_directory1 /srv/ftp/d1
mount -bind other_driectory2 /srv/ftp/q2

...etc

Since sftp via ssh demands that all directories be owned by root I have a problem. The 'other directories' are owned by different sets of groups. We have engineers who will have carte blanche access. I have another group 'manufacturing' who will need to be chrooted to /var/ftp/. They will need to see directories underneath /var/ftp/ and nothing else. We don't want them to be able to cd to any other part of the system. Manufacturing does not have any account on the machine. My last group sales has an account on the server. I have been able to chroot them to there home folder where they also have the same mount --binded directories. Management would like sales to be able to ftp as well as sftp with read only access to the sub directories under their home directory. It is allowable to have them sftp to /srv/ftp/ and ftp to /home/sale/. I would suppose that this may mean that I use a different tool to implement sftp rather then use ssh. Here are my setup files for ssh

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
UseDNS no
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin yes
Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no

Match group ftpgroup
ChrootDirectory /srv/ftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/lib/openssh/sftp-server
PasswordAuthentication yes

Hi I'am newbie here,can somebody help me to fix accessing port 22 using ssh anywhere. Please see the sshd_config below:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility LOCAL3
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
AllowUsers root

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Dear all,

This is long story cut short, with vsftp, if i set this parameters in the vsftp.conf file below

Code:

local_enable=YES
chroot_local_users=YES

I am able to login to the ftp account, see and list my home/user directory, and if i do a cd / or cd .. , i will still be chroot to my /home/user directory.

without, the need to chmod or or chown anything to my /home/user directory

=============================================

With openSSH, internal_sftp, even though I have set the sshd_conf to

Code:

Match user alankoh
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home/%u

I will need to change owner my /home/user directory to have root becomes it owner.
============================================

Q1) why this difference ? How does vsftp chroot without changing the /home/user folder ownership ?

Q2) i realize that openssh ChrootDirectory parameter causes my default login directory to be set as that of the parameter.
(e.g. if i set to "/whatever/xyz", i will be brought to that /whatever/xyz everytime i login to the sftp instead of my /home/user folder.

Why ? I thought that ChrootDirectory is just a security measure to specify the directory to go to in case the user cd to root (e.g. cd /), else not, i should still go to my /home/user folder everytime i login to sftp.

Regards,
Noob

I have set up a SFTP which I can connect to, go to the right directory and read/write files to.

The full path is home/sftpuser/SFTP/Customer
The user "sftpuser" I am connecting with is in the group "ftpusers" which has read/write access.

That works fine.

Here is my sshd_config:
Code:

Match Group ftpusers ChrootDirectory /home/%u/
 ForceCommand internal-sftp
  AllowAgentForwarding no
  AllowTcpForwarding no
  X11Forwarding no

However, I made a samba share of the folder Customer, when I go to the IP adress on a Windows machine "\\10.0.0.1\" I can see the folder Customer, when entering it requests user/pass and afterwards gives an error: you have not the right permissions.

In Webmin:
Customer /home/sftpuser/SFTP/Customer Read/write to everyone

My smb.conf:
Code:

[global]
    syslog = 0
    log file = /var/log/samba/log.%m
    read raw = no
    write raw = no
    passdb backend = tdbsam
    workgroup = DOMAIN
    usershare allow guests = yes
    socket options = TCP_NODELAY
    pam password change = yes
    passwd program = /usr/bin/passwd %u
    unix password sync = yes
    obey pam restrictions = yes
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    server role = standalone server
    server string = %h server (Samba, Ubuntu)
    max log size = 1000
    map to guest = bad user
    panic action = /usr/share/samba/panic-action %d
    dns proxy = no



[Customer]
    force create mode = 755
    browsable = yes
    public = yes
    path = /home/sftpuser/SFTP/Customer
    force directory mode = 755
    writeable = yes
    valid users = @ftpusers
    force group = ftpusers
    write list = @ftpusers

I have been struggling for 3 days and am totally out of ideas.

LS -L for the folder:
Code:

total 4
drwxrwx---+ 2 sftpuser ftpusers 4096 Apr  9 11:35 Customer

Dear Members,

I am trying to configure sftp on my Server (Redhat). But I am facing following issue.

Link used: https://www.linode.com/docs/tools-re...ian-and-ubuntu

These are the parameters added to /etc/ssh/sshd_config file :

Quote:
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Permission home Directories are as follows :

Quote:
ls -ld /home/test1/
drwxr-xr-x 7 root root 4096 May 14 09:49 /home/test1/

ls -l /home/test1/
total 12
drwxr-xr-x 2 root root 4096 May 14 09:49 docs
drwxr-xr-x 2 root root 4096 May 13 11:43 nitish
drwxr-xr-x 2 root root 4096 May 14 09:49 public_html

Debug Command : sftp -vvv test1@Ipaddress

Code:

debug1: Next authentication method: password
test1@IP-address's password:
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1421
debug1: Authentication succeeded (password).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug3: Wrote 128 bytes for a total of 1549
debug3: Wrote -1 bytes for a total of 1549
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

I need the user can't access/see the other directories other than it's own directory

Waiting for your response.

Thank you

Redhat-Keeda

in my RHEL 4 server , I want to know what ftp server is running but can't find it.

I tried "ps -ef |grep ftp" but no output , chkconfig --list |grep ftp also no output related to ftp , /etc/rc.d/init.d can't find ftp service , ftp localhost is not allow .

when use FileZilla to connect it , it is ok , the ftp should be running , I tried to use "ps -ef |grep ftp" , it pops the following output , would advise what ftp server is running in server ? thanks

Code:

edp 11027 11026  0 12:39 ?        00:00:00 tcsh -c /usr/libexec/openssh/sftp-server
edp 11037 11027  0 12:39 ?        00:00:00 /usr/libexec/openssh/sftp-server
user   11050  7747  0 12:48 pts/2    00:00:00 grep ftp

proftpd is running in port 2222. Vendor user "ABC" logs in successfully. When I check the /var/log/proftpd/sftpd.log file I see strange things, time stamp changes from 11:xx to 10:xx during user ABC login..!

Mar 17 11:44:34 mod_sftp/0.9.7[49192]: sending acceptable userauth methods: keyboard-interactive,password
Mar 17 10:44:34 mod_sftp/0.9.7[49192]: sending userauth success
Mar 17 10:44:34 mod_sftp/0.9.7[49192]: user 'ABC' authenticated via 'keyboard-interactive' method
Mar 17 11:44:35 mod_sftp/0.9.7[49193]: using '/etc/ssh/ssh_host_rsa_key' as RSA hostkey
Mar 17 11:44:35 mod_sftp/0.9.7[49193]: using '/etc/ssh/ssh_host_dsa_key' as DSA hostkey
Mar 17 11:44:35 mod_sftp/0.9.7[49193]: disconnecting client (received EOF)
Mar 17 10:44:35 mod_sftp/0.9.7[49192]: 'subsystem' channel request for 'sftp' subsystem
Mar 17 10:44:35 mod_sftp/0.9.7[49192]: using SFTP protocol version 3 for this session (channel ID 0)
Mar 17 10:44:35 mod_sftp/0.9.7[49192]: client set permissions on '/12345_FULL' to 0666



Any thougs on this?

Hi All,

Please can someone assist me on this, I enabled Selinux on Ubuntu 14.04 server and it's disabling ssh remote login for all users including root.

From the ssh terminal I get the following error:

ssh root@192.168.x.x
Last login: Wed Mar 25 12:39:02 2015 from 192.168.x.x
/bin/bash: Permission denied
Connection to 192.168.211.135 closed.


tail /var/log/auth.log

ubuntu sshd[1640]: Accepted password for root from 192.168.x.x port 51082 ssh2

ubuntu sshd[1642]: Accepted password for root from 192.168.x.x port 51089 ssh2

ubunt sshd[1640]: Received disconnect from 192.168.x.x: disconnected by user

audit2allow --all

sshd_t

This avc is a constraint violation. you would need to modify the attribute of either the source or target types to allow this access.

possible cause is the source user (system_u) and target user (unconfined_u) are different.

possible cause is the source role (system_r) and target role (unconfined_r) are different.

possible cause is the source level (s0) and target level (s0-s0:c0.c255) are different.

allow sshd_t unconfined_trocess transition.

Please how can I make this changes to take effect.

Thanks in advance.

Hi,

So, I am learning meteor.js and signed up for a (cheap, i.e no support) VPS to host my Meteor app. Everything is running fine but I am trying to understand better how Linux works so here is my question:

I am running CentOS 7 on the VPS but it still uses iptables for its firewall.

I had to enable port 80 to access the web server. However, if I reboot the server, it stops working until I do
Code:

iptables -F

Then everything works. But I am thinking that -F might not be the best thing. I have changed the default SSH port from 22 to something else and that also works but I don't think I ever added it to the iptables rules.

If I do a port scan, the new SSH port is indicated as open as well as port 80 but others are closed as they are supposed to be.

Any idea what is doing on behind the scenes that requires iptables -F for the web access to work properly and if I shouldn't be doing iptables -F (I have it in the rc.local file), what is the right way of doing it?

(BTW, I am computer literate but not that familiar with Linux, which I am trying to learn now.)


Kamal

Hey All,

Is there a way to present a path or other block device to a USB port on a Linux server then have that port connected to a USB port of another device (ie USB to USB) and have it look like a flash disk?

I can plug a USB flash disk to a router just fine. But if I wanted a device to access a path off of another device int he absence of NFS or CIFS capability, that would be handy.

In other words, anyway to assign storage to a USB port in Linux? It would be akin to something like SAN with a target and source just with USB.

Cheers,
DH