P.S. - RE: [redhat-list] updates pending question

Alfred Hovdestad alfred.hovdestad at usask.ca
Fri May 10 20:37:21 UTC 2013 


On 10/05/13 02:29 PM, Constance Morris wrote:
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Sent: Friday, May 10, 2013 4:00 PM
> To: General Red Hat Linux discussion list
> Subject: Re: P.S. - RE: [redhat-list] updates pending question
>
> Alfred Hovdestad wrote:
>> On 10/05/13 12:06 PM, Constance Morris wrote:
>>>
>>> I found an article titled ' can I set up sftp to chroot only
>>> particular users in rhel' and I followed the instructions of
>>> modifying the /etc/ssh/sshd_config to have:
>>>
>>> Comment out the #Subsystem 	sftp	/usr/libexec/openssh/sftp-server
>>> And put this as active = subsystem	sftp	internal-sftp
>>>
>>> * Now my sshd_config was different than above. It had:
>>> Subsystem 	sftp	/bin/sh -c 'umas 0002; /usr/libexec/openssh/sftp-server'
>>>
>>> Exactly like that. But I tried the above by commenting it out and
>>> adding the other line and the rest of the data as follows:
>>>
>>> Match Group www
>>> 	ChrootDirectory /faculty-staff/%u
>>> 	AllowTcpForwarding no
>>> 	ForceCommand internal-sftp
>>> 	X11Forwarding no
>>>
>>> And then did as it said and created a user, made a directory folder
>>> for that user in /faculty-staff and changed ownership and permissions.
>>> Then it said to restart the sshd service and upon doing so I got the
>>> following error message:
>>>
>>> Starting sshd: /etc/ssh/sshd_config: line 122: Bad configuration option:
>>> Match
>>> /etc/ssh/sshd_config: terminating, 1 bad configuration options
>>>                                                              [FAILED]
>>>
>>> Any thoughts? The comments on the article mentioned there being a
>>> problem with selinux.
>>>
>> What version of Red Hat are you running?  I'm thinking that it is
>> likely RHEL 5.  The Match keyword for openssh was introduced with
>> openssh 5 (RHEL 6).  That might be why your predecessor had installed
>> a newer version of openssh (outside of RHEL).
>>
>> And if sshd isn't running your faculty won't be able to login.  You
>> may have to re-install the custom version of openssh to resolve this issue.
>
> I really don't think it's an sshd problem, at this point. She's got other (many other?) users who have no trouble; it's just these three, which is why I'm strongly leaning towards them having Web Expression on their workstations misconfigured.
>
>      mark
> -- ----------
>
> P.S. Now Hassan can't log in and gets the same error message as jadams 'There's no site named /faculty-staff/username'.
>
> Constance
>
>


I don't think that you should have the %u on the ChrootDirectory.  Do 
all of these users have www as their default group?  It is the default 
group that gets matched on the sftp connection.

--
Alfred

More information about the redhat-list mailing list