P.S. - RE: [redhat-list] updates pending question
Constance Morris
cmorris at daltonstate.edu
Fri May 10 21:02:45 UTC 2013
-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred Hovdestad
Sent: Friday, May 10, 2013 4:37 PM
To: General Red Hat Linux discussion list
Subject: Re: P.S. - RE: [redhat-list] updates pending question
On 10/05/13 02:29 PM, Constance Morris wrote:
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Sent: Friday, May 10, 2013 4:00 PM
> To: General Red Hat Linux discussion list
> Subject: Re: P.S. - RE: [redhat-list] updates pending question
>
> Alfred Hovdestad wrote:
>> On 10/05/13 12:06 PM, Constance Morris wrote:
>>>
>>> I found an article titled ' can I set up sftp to chroot only
>>> particular users in rhel' and I followed the instructions of
>>> modifying the /etc/ssh/sshd_config to have:
>>>
>>> Comment out the #Subsystem sftp /usr/libexec/openssh/sftp-server
>>> And put this as active = subsystem sftp internal-sftp
>>>
>>> * Now my sshd_config was different than above. It had:
>>> Subsystem sftp /bin/sh -c 'umas 0002; /usr/libexec/openssh/sftp-server'
>>>
>>> Exactly like that. But I tried the above by commenting it out and
>>> adding the other line and the rest of the data as follows:
>>>
>>> Match Group www
>>> ChrootDirectory /faculty-staff/%u
>>> AllowTcpForwarding no
>>> ForceCommand internal-sftp
>>> X11Forwarding no
>>>
>>> And then did as it said and created a user, made a directory folder
>>> for that user in /faculty-staff and changed ownership and permissions.
>>> Then it said to restart the sshd service and upon doing so I got the
>>> following error message:
>>>
>>> Starting sshd: /etc/ssh/sshd_config: line 122: Bad configuration option:
>>> Match
>>> /etc/ssh/sshd_config: terminating, 1 bad configuration options
>>>
>>> [FAILED]
>>>
>>> Any thoughts? The comments on the article mentioned there being a
>>> problem with selinux.
>>>
>> What version of Red Hat are you running? I'm thinking that it is
>> likely RHEL 5. The Match keyword for openssh was introduced with
>> openssh 5 (RHEL 6). That might be why your predecessor had installed
>> a newer version of openssh (outside of RHEL).
>>
>> And if sshd isn't running your faculty won't be able to login. You
>> may have to re-install the custom version of openssh to resolve this issue.
>
> I really don't think it's an sshd problem, at this point. She's got other (many other?) users who have no trouble; it's just these three, which is why I'm strongly leaning towards them having Web Expression on their workstations misconfigured.
>
> mark
> -- ----------
>
> P.S. Now Hassan can't log in and gets the same error message as jadams 'There's no site named /faculty-staff/username'.
>
> Constance
>
>
I don't think that you should have the %u on the ChrootDirectory. Do all of these users have www as their default group? It is the default group that gets matched on the sftp connection.
--
Alfred
-----------
Alfred,
Okay, that's good to know if I have to make those changes again, but I had removed all of those changes to the sshd_config file when I ran into that error message after trying to restart the sshd service.
So it doesn't have the 'Match Group www' info or the ChrootDirectory /faculty-staff/%u info in that file anymore.
Ah......for their faculty-staff directory pages then yes they all have the www group. However, ones like Cathy don't log in for the faculty-staff directory but to their department directory and it uses a different group. So I see my error there with having listed the 'www' group when I tried that.
If I have to add those back in to the sshd_config file since I removed them when I got the error message......any suggestions on what I should use for the matched or should I leave that out of it?
Constance
More information about the redhat-list
mailing list