[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: P.S. - RE: [redhat-list] updates pending question



-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-bounces redhat com] On Behalf Of Alfred Hovdestad
Sent: Friday, May 10, 2013 4:37 PM
To: General Red Hat Linux discussion list
Subject: Re: P.S. - RE: [redhat-list] updates pending question

On 10/05/13 02:29 PM, Constance Morris wrote:
> -----Original Message-----
> From: redhat-list-bounces redhat com 
> [mailto:redhat-list-bounces redhat com] On Behalf Of m roth 5-cent us
> Sent: Friday, May 10, 2013 4:00 PM
> To: General Red Hat Linux discussion list
> Subject: Re: P.S. - RE: [redhat-list] updates pending question
>
> Alfred Hovdestad wrote:
>> On 10/05/13 12:06 PM, Constance Morris wrote:
>>>
>>> I found an article titled ' can I set up sftp to chroot only 
>>> particular users in rhel' and I followed the instructions of 
>>> modifying the /etc/ssh/sshd_config to have:
>>>
>>> Comment out the #Subsystem 	sftp	/usr/libexec/openssh/sftp-server
>>> And put this as active = subsystem	sftp	internal-sftp
>>>
>>> * Now my sshd_config was different than above. It had:
>>> Subsystem 	sftp	/bin/sh -c 'umas 0002; /usr/libexec/openssh/sftp-server'
>>>
>>> Exactly like that. But I tried the above by commenting it out and 
>>> adding the other line and the rest of the data as follows:
>>>
>>> Match Group www
>>> 	ChrootDirectory /faculty-staff/%u
>>> 	AllowTcpForwarding no
>>> 	ForceCommand internal-sftp
>>> 	X11Forwarding no
>>>
>>> And then did as it said and created a user, made a directory folder 
>>> for that user in /faculty-staff and changed ownership and permissions.
>>> Then it said to restart the sshd service and upon doing so I got the 
>>> following error message:
>>>
>>> Starting sshd: /etc/ssh/sshd_config: line 122: Bad configuration option:
>>> Match
>>> /etc/ssh/sshd_config: terminating, 1 bad configuration options
>>>                                                              
>>> [FAILED]
>>>
>>> Any thoughts? The comments on the article mentioned there being a 
>>> problem with selinux.
>>>
>> What version of Red Hat are you running?  I'm thinking that it is 
>> likely RHEL 5.  The Match keyword for openssh was introduced with 
>> openssh 5 (RHEL 6).  That might be why your predecessor had installed 
>> a newer version of openssh (outside of RHEL).
>>
>> And if sshd isn't running your faculty won't be able to login.  You 
>> may have to re-install the custom version of openssh to resolve this issue.
>
> I really don't think it's an sshd problem, at this point. She's got other (many other?) users who have no trouble; it's just these three, which is why I'm strongly leaning towards them having Web Expression on their workstations misconfigured.
>
>      mark
> -- ----------
>
> P.S. Now Hassan can't log in and gets the same error message as jadams 'There's no site named /faculty-staff/username'.
>
> Constance
>
>


I don't think that you should have the %u on the ChrootDirectory.  Do all of these users have www as their default group?  It is the default group that gets matched on the sftp connection.

--
Alfred
-----------

Alfred,
Okay, that's good to know if I have to make those changes again, but I had removed all of those changes to the sshd_config file when I ran into that error message after trying to restart the sshd service. 
So it doesn't have the 'Match Group www' info or the ChrootDirectory /faculty-staff/%u  info in that file anymore.
Ah......for their faculty-staff directory pages then yes they all have the www group. However, ones like Cathy don't log in for the faculty-staff directory but to their department directory and it uses a different group. So I see my error there with having listed the 'www' group when I tried that.
If I have to add those back in to the sshd_config file since I removed them when I got the error message......any suggestions on what I should use for the matched or should I leave that out of it?

Constance



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]