[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: P.S. - RE: [redhat-list] updates pending question





On 10/05/13 03:02 PM, Constance Morris wrote:

-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-bounces redhat com] On Behalf Of Alfred Hovdestad
Sent: Friday, May 10, 2013 4:37 PM
To: General Red Hat Linux discussion list
Subject: Re: P.S. - RE: [redhat-list] updates pending question

On 10/05/13 02:29 PM, Constance Morris wrote:
-----Original Message-----
From: redhat-list-bounces redhat com
[mailto:redhat-list-bounces redhat com] On Behalf Of m roth 5-cent us
Sent: Friday, May 10, 2013 4:00 PM
To: General Red Hat Linux discussion list
Subject: Re: P.S. - RE: [redhat-list] updates pending question

Alfred Hovdestad wrote:
On 10/05/13 12:06 PM, Constance Morris wrote:

I found an article titled ' can I set up sftp to chroot only
particular users in rhel' and I followed the instructions of
modifying the /etc/ssh/sshd_config to have:

Comment out the #Subsystem 	sftp	/usr/libexec/openssh/sftp-server
And put this as active = subsystem	sftp	internal-sftp

* Now my sshd_config was different than above. It had:
Subsystem 	sftp	/bin/sh -c 'umas 0002; /usr/libexec/openssh/sftp-server'

Exactly like that. But I tried the above by commenting it out and
adding the other line and the rest of the data as follows:

Match Group www
	ChrootDirectory /faculty-staff/%u
	AllowTcpForwarding no
	ForceCommand internal-sftp
	X11Forwarding no

And then did as it said and created a user, made a directory folder
for that user in /faculty-staff and changed ownership and permissions.
Then it said to restart the sshd service and upon doing so I got the
following error message:

Starting sshd: /etc/ssh/sshd_config: line 122: Bad configuration option:
Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options

[FAILED]

Any thoughts? The comments on the article mentioned there being a
problem with selinux.

What version of Red Hat are you running?  I'm thinking that it is
likely RHEL 5.  The Match keyword for openssh was introduced with
openssh 5 (RHEL 6).  That might be why your predecessor had installed
a newer version of openssh (outside of RHEL).

And if sshd isn't running your faculty won't be able to login.  You
may have to re-install the custom version of openssh to resolve this issue.

I really don't think it's an sshd problem, at this point. She's got other (many other?) users who have no trouble; it's just these three, which is why I'm strongly leaning towards them having Web Expression on their workstations misconfigured.

      mark
-- ----------

P.S. Now Hassan can't log in and gets the same error message as jadams 'There's no site named /faculty-staff/username'.

Constance


I don't think that you should have the %u on the ChrootDirectory.  Do all of these users have www as their default group?  It is the default group that gets matched on the sftp connection.

--
Alfred
-----------

Alfred,
Okay, that's good to know if I have to make those changes again, but I had removed all of those changes to the sshd_config file when I ran into that error message after trying to restart the sshd service.
So it doesn't have the 'Match Group www' info or the ChrootDirectory /faculty-staff/%u  info in that file anymore.
Ah......for their faculty-staff directory pages then yes they all have the www group. However, ones like Cathy don't log in for the faculty-staff directory but to their department directory and it uses a different group. So I see my error there with having listed the 'www' group when I tried that.
If I have to add those back in to the sshd_config file since I removed them when I got the error message......any suggestions on what I should use for the matched or should I leave that out of it?

Constance


RHEL 5 (openssh 4) doesn't support the Match config parameter so it's best to leave it out.

For the 'There's no site named /faculty-staff/username' error it sounds as though they are trying to connect to the home directory, not to the server. It's beginning to sound like Mark has the right idea, check the user configuration. Make sure you know what they are doing when they try to connect to the Linux server.

--
Alfred



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]