Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO native openssh chroot and SFTP
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
EstebanGonzales
n00b
n00b


Joined: 14 Oct 2010
Posts: 8

PostPosted: Mon Oct 18, 2010 10:48 pm    Post subject: Reply with quote

Ok here we go.

Code:
TestServer ~ # groups sftpuser
sftpuser
TestServer ~ #


Code:
TestServer ~ # ls -ld /
drwxr-xr-x 20 root root 4096 Oct 18 11:43 /
TestServer ~ #


Code:
TestServer ~ # grep sftpuser /etc/passwd
sftpuser:x:1005:1005::/home/sftpuser:/bin/bash


Code:
TestServer ~ # emerge -pvt openssh

These are the packages that would be merged, in reverse order:

Calculating dependencies... done!
[ebuild     U ] net-misc/openssh-5.6_p1-r2 [5.5_p1-r2] USE="ldap* pam tcpd -X -X509 -hpn -kerberos -libedit (-selinux) -skey -static" 1,110 kB

Total: 1 package (1 upgrade), Size of downloads: 1,110 kB

 * IMPORTANT: 2 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.

TestServer ~ #



Code:

TestServer ~ # cat /etc/pam.d/sshd
auth       include      system-remote-login
account    include      system-remote-login
password   include      system-remote-login
session    include      system-remote-login


Does that help at all ?
Back to top
View user's profile Send private message
m27315
Apprentice
Apprentice


Joined: 10 Dec 2004
Posts: 253
Location: 2 workstations down

PostPosted: Mon Oct 18, 2010 11:15 pm    Post subject: updated configs Reply with quote

It's been a while, so here are relevant snippets from my current configs as of October 18, 2010. ... You should compare your files and the following commands on the host server, (the one your are logging into). If the results are identical, you will need to post your syslog/metalog record of the event.

HTH

/etc/pam.d/sshd:
Code:
auth       include      system-remote-login
account    include      system-remote-login
password   include      system-remote-login
session    include      system-remote-login

Mostly defaults in the next one too, but look near the end for SFTP config...

/etc/ssh/sshd_config:
Code:
#       $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

AllowGroups root wheel sftponly
AllowUsers root sftpuser

# override default of no subsystems
#Subsystem      sftp    /usr/lib64/misc/sftp-server
Subsystem       sftp internal-sftp

Match Group sftponly
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

Make sure your permissions are all correct:

Code:
# grep -i mask /etc/login.defs
UMASK           022

# grep sftpuser /etc/passwd
sftpuser:x:1001:1001::/public:/bin/false

# groups sftpuser
sftponly

# ls -latd /home
drwxr-xr-x 4 root root 4096 Jan 15  2009 /home

# ls -latd /home/sftpuser
drwxr-xr-x 3 root root 4096 Jan 15  2009 /home/sftpuser

# ls -latd /home/sftpuser/public
drwxr-xr-x 4 sftpuser sftponly 73728 Oct  9 17:23 /home/sftpuser/public
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum