Difference between pages "SFTP Only Access" and "Metro TroubleShooting"

From Funtoo
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
== Context ==
+
if you receive something like:
  
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
+
{{Root|<nowiki>
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
+
metro FEATURES variable contains unknown value(s): safetydance
* is able to transfer files back and forth on the box via SFTP
+
metro !!! Directory initialization failed: '/tmp/stage1root/var/lib/portage'
* does not have access to a shell
+
metro !!! chmod('/tmp/stage1root/var/lib/portage', 02755)
 +
</nowiki>}}
  
Such a SFTP only access is easy to setup:
+
check /var/log/messages
  
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
+
{{Root|<nowiki>
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
+
grsec: From 192.168.3.236: denied chmod +s of /var/tmp/metro/work/server/stage1-64bit-2011.04.05/tmp/stage1root/var/lib/portage by /var/tmp/metro
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
+
/work/server/stage1-64bit-2011.04.05/usr/bin/python2.6[emerge:1786] uid/euid:0/0 gid/egid:0/0, parent /var/tmp/metro/work/server/stage1-64bit-
 +
2011.04.05/tmp/steps/chroot/run.metro[run.metro:1645] uid/euid:0/0 gid/egid:0/0
 +
</nowiki>}}
  
== Quick start ==
+
and permanetly fix with:
 +
{{Root|<nowiki>
 +
# vi /etc/sysctl.conf
  
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
+
add:
<console>
+
# enable chmod in chroot
###i## groupadd sftponly
+
kernel.grsecurity.chroot_deny_chmod = 0
</console>
+
  
Next in the configuration of OpenSSH (located in <code>/etc/sshd/sshd_config</code>), find:
+
sysctl -p
 +
</nowiki>}}
  
 
+
[[Category:Metro]]
<pre>
+
Subsystem      sftp    /usr/lib64/misc/sftp-server
+
</pre>
+
 
+
and change it to:
+
 
+
<pre>
+
Subsystem      sftp    internal-sftp
+
</pre>
+
 
+
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file <code>/etc/sshd/sshd_config</code> the following statement:
+
 
+
<pre>
+
# Restricted users: no TCP connection bouncing, no X tunneling.
+
Match group sftponly
+
        ChrootDirectory /home/%u
+
        X11Forwarding no
+
        AllowTcpForwarding no
+
        ForceCommand internal-sftp
+
</pre>
+
 
+
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
+
* a shell => ssh <code>login@host</code>
+
* a kind of dedicated ftp daemon (sftp-server) => sftp <code>user@host</code>
+
 
+
[[Category:HOWTO]]
+

Latest revision as of 16:03, 8 January 2012

if you receive something like:

metro FEATURES variable contains unknown value(s): safetydance metro !!! Directory initialization failed: '/tmp/stage1root/var/lib/portage' metro !!! chmod('/tmp/stage1root/var/lib/portage', 02755)


check /var/log/messages

grsec: From 192.168.3.236: denied chmod +s of /var/tmp/metro/work/server/stage1-64bit-2011.04.05/tmp/stage1root/var/lib/portage by /var/tmp/metro /work/server/stage1-64bit-2011.04.05/usr/bin/python2.6[emerge:1786] uid/euid:0/0 gid/egid:0/0, parent /var/tmp/metro/work/server/stage1-64bit- 2011.04.05/tmp/steps/chroot/run.metro[run.metro:1645] uid/euid:0/0 gid/egid:0/0


and permanetly fix with:

# vi /etc/sysctl.conf add: # enable chmod in chroot kernel.grsecurity.chroot_deny_chmod = 0 sysctl -p