Question

Red Hat Linux chroot to restrict a user to its home directory using PAM

Asked by: teamsunarc

Hello,

I am trying to restrict user to their home  directory when they login remotely through sftp. I have followed all the steps specified in following URL.

http://knol.google.com/k/dirk-h-schulz/chrooting-sftp/2bcee0ik2900p/14#.

But the user can still traverse through directory system. I have set root permissions to individual directories so he can not get that directory listing but he can see all the directories in /

Please help me to get rid of this problem. Its very urgent.

Thanks!  

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-05 at 04:41:02ID24627640
Tags

chroot linux

Topics

Linux Programming

,

Linux Network Security

,

Linux Networking

Participating Experts
3
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. How to use chroot?
    I tried the following command from remote machine through telnet: # /usr/sbin/chroot /temp and it fails and return the error message: /usr/sbin/chroot: cannot execute /bin/bash: No such file or directory However, I checked the /bin/bash is there. And if I use # /usr/sbin...
  2. Sftp Chrooting
    Hello, I have a redhat 9.0 system and we are trying to get sftp to chroot users on it. We want to stick to rpm installs just for the ease of maintaining and upgrading. We are looking at maybe installing scponly to allow us to chroot users. Another option would be sending ...
  3. Set up SFTP in Apache on Red Hat Linux ES
    Hi What I have: # external IP address say "http://123.123.123.123" # HTTPS working ok and loading the certificate and default page I have in a folder "osacademy" # there is a (s)ftp daemon running What I need: # easy.... how to set up SFTP let me know ...
  4. SFTP with Chrooting and without SSH and SCP
    We would like to to create a sftp user which 1)Should not able to ssh, scp or telnet to the server . 2)Should able to do only sftp to the server . 3) Should not able to run "df" command 4) Should be restricted within the home directory . it should not able to go bey...
  5. scponly & chroot
    Can scponly provide a chroot jail for my Solaris 10 sftp users?
  6. Chroot jail
    followed instructions for chrooting on http://howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny and http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ And I get a boatload of fail most notably when attempting to create a new user/

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: RBEIMSPosted on 2009-08-05 at 04:57:35ID: 25022333

Can you put an excerpt from your log file when a user logs on? Are you sure you added the user in the /etc/chroot.conf file?
I ask this because once you chrooted into a new directory, you have no means to go to the default system root and list directories or files. You are confined to the jail.
You would have to find what could be going wrong so that the users are not being chrooted as they should when they log in.

 

by: omarfaridPosted on 2009-08-05 at 05:01:28ID: 25022368

 

by: teamsunarcPosted on 2009-08-05 at 23:36:06ID: 25030608

Hello guys,

Thanks for your reply.

I am using openssh-4.3p2-4.12.fc5 version of openssh.

I have created a new user named 'sftpfred' using command  $:  useradd -s /bin/false -m -d /home/sftpfred -c "Fred SFTP" -g testadmin sftpfred

I  have added that in chroot.conf file. Now when I tried to login through that user it was not letting me logged in.I have attached the files information as code snippet that may help you to resolve this.

Thanks Again!

log/message file
===========================================================
Aug  6 10:44:19 linux sshd[3557]: Accepted password for sftpfred from 10.0.0.11 port 1218 ssh2
Aug  6 10:44:19 linux sshd[3560]: pam_unix(sshd:session): session opened for user sftpfred by (uid=0)
Aug  6 10:44:19 linux sshd[3560]: pam_chroot(sshd:session): /var/chroot/home/sftpfred is writable by non-root
Aug  6 10:44:19 linux sshd[3560]: subsystem request for sftp
Aug  6 10:44:19 linux sshd[3560]: pam_unix(sshd:session): session closed for user sftpfred
===================================================================
 
etc/security/chroot.conf
 
====================================================================
# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home
sftpfred                /var/chroot/home/sftpfred
=====================================================================
 
sshd_config
=====================================================================
Subsystem sftp /usr/libexec/openssh/sftp-server
====================================================================
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:

Select allOpen in new window

 

by: RBEIMSPosted on 2009-08-06 at 02:57:02ID: 25031549

I think that you can't create a user for sftp and give it a "false" shell. In my previous attempts to do that, I couldn't login either. The user must have a valid shell to log in even if it is not logging in to do interactive commands.
If you are concerned about security, you could use a "secure ssh" shell like this:
http://dragontoe.org/rssh/

Remember that the shell you use must be available inside the chroot jail, because if everything is configured correctly it's inside the jail that the system will look for the binary.

 

by: teamsunarcPosted on 2009-08-06 at 03:24:44ID: 25031694

Hello ,

Is it required to use rssh.

 have tried with two users. I have attached their setting in code snippet.  Now I login through testadmin using sftp testadmin@localhost it let me login but I can traverse through directory system and when i login through sftpfred in shows me following error.

Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer

This is strange. There is only one difference between these users that testadmin was created before establishment of jail.

Please let me know where I am doing wrong. I will be checking comments frequently as it is urgent.

Thanks!

/log/secure/
========================================================================
Aug  6 14:58:03 linux sshd[7410]: pam_unix(sshd:session): session opened for user testadmin by (uid=0)
Aug  6 14:58:03 linux sshd[7410]: pam_chroot(sshd:session): /var/chroot/home/testadmin is writable by non-root
Aug  6 14:58:03 linux sshd[7410]: subsystem request for sftp
Aug  6 14:59:18 linux sshd[7410]: pam_unix(sshd:session): session closed for user testadmin
Aug  6 14:59:24 linux sshd[7462]: Accepted password for sftpfred from 127.0.0.1 port 60821 ssh2
Aug  6 14:59:24 linux sshd[7466]: pam_unix(sshd:session): session opened for user sftpfred by (uid=0)
Aug  6 14:59:24 linux sshd[7466]: pam_chroot(sshd:session): chroot(/var/chroot/home/sftpfred) succeeded
Aug  6 09:29:24 linux sshd[7466]: pam_env(sshd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Aug  6 09:29:24 linux sshd[7466]: subsystem request for sftp
=======================================================================
 
chroot.conf file
=========================================================================
# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home
sftpfred                /var/chroot/home/sftpfred
testadmin               /var/chroot/home/testadmin
=========================================================================
 
/etc/passwd file
=========================================================================
testadmin:DA8007qfqTqXg:503:504::/var/chroot/home/testadmin/:/bin/bash
sftpfred:y9nzz5SSvYPbA:504:504:Fred SFTP:/home/sftpfred:/bin/bash
========================================================================
=========================================================================

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:

Select allOpen in new window

 

by: RBEIMSPosted on 2009-08-06 at 04:16:31ID: 25031991

You can see that the first user is not getting chrooted as the pam_chroot module is complaining that the user's home directory is writable by non-root. Just changing the permissions to deny writing by others than root should correct that.
For the second user, apparently there is a problem in the pam chain. The pam_env module isn't finding it's configuration file.
You can remove the pam_env of the chain just to test or find out why the module can't find it's configuration.

 

by: teamsunarcPosted on 2009-08-06 at 05:17:01ID: 25032350

I have commented the pam_env.so from the chain but I did not get any clue yet.It is showing same error

Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer

 Please see snippet attached. Is there any other configuration file where I need to change

/log/secure/
=======================================================================
Aug  6 16:58:49 sunlinux sshd[10901]: Accepted password for testadmin from 10.0.0.11 port 3703 ssh2
Aug  6 16:58:49 sunlinux sshd[10903]: pam_unix(sshd:session): session opened for user testadmin by (uid=0)
Aug  6 16:58:49 sunlinux sshd[10903]: pam_chroot(sshd:session): chdir(/var/chroot/home/testadmin) succeeded
Aug  6 16:58:49 sunlinux sshd[10903]: pam_chroot(sshd:session): chroot(/var/chroot/home/testadmin) succeeded
Aug  6 11:28:49 sunlinux sshd[10903]: subsystem request for sftp
 
/etc/pam.d/system-auth-ac
==================================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
#auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_smb_auth.so use_first_pass nolocal
auth        required      pam_deny.so
 
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so nullok try_first_pass use_authtok
password    required      pam_deny.so
 
session     required      pam_limits.so
session     required      pam_unix.so
====================================================================
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:

Select allOpen in new window

 

by: it4sohoPosted on 2009-08-06 at 10:02:25ID: 25035633

If you don't want a chroot jail, you can always just change the / folder's permissions to remove READ permission.

[Quick review of Directory Permissions in Linux]
 Part 1 - understand that a directory is nothing but a table that points a name to an inode within a filesystem
 Part 2 - To see the names (list them), you must have READ permission
 Part 3 - To use the name to get an INODE value (and thus, access the file), you need EXECUTE permission
 Part 4 - To add, remove, or change the name of a file in the directory, you need WRITE permission
[end review]

So, with the above in mind, it is SAFE to remove READ permission from / (and any other system folders)

BUT -- if you also remove execute permissions, your system will crash like an insurance commission car! (nothing but root processes will be able to open ANYTHING on your filesystem), so don't go overboard!

BTW: If you're a smart admin, you'll have yourself in some admins group -- you can safely "chgrp admins /" to make sure you (and any other admins) can still read (run ls on) the / directory!

Just my thoughts... I try not to overthink these things!

Dan
IT4SOHO

 

by: it4sohoPosted on 2009-08-06 at 10:03:43ID: 25035647

BTW: the command to do the above is simply (as root):

    chmod o-r /

Dan
IT4SOHO

 

by: teamsunarcPosted on 2009-08-07 at 04:34:26ID: 25041609

Hello,

Now I am doing this using rssh. It was worked at my local machine fine but when i tried same for server it is not working. It is just showing connection closed.

I have attached log and rssh.conf snippets.

Please help me!

Thanks!

/log/message/
================
Aug  7 18:54:34 prod rssh[2878]: setting log facility to LOG_USER
Aug  7 18:54:34 prod rssh[2878]: allowing sftp to all users
Aug  7 18:54:34 prod rssh[2878]: setting umask to 022
Aug  7 18:54:34 prod rssh[2878]: chrooting all users to /usr/chroot
Aug  7 18:54:34 prod rssh[2878]: line 44: configuring user testuser
Aug  7 18:54:34 prod rssh[2878]: setting testuser's umask to 011
Aug  7 18:54:34 prod rssh[2878]: allowing sftp to user testuser
Aug  7 18:54:34 prod rssh[2878]: chrooting testuser to /usr/chroot/home/testuser
Aug  7 18:54:34 prod rssh[2878]: chroot cmd line: /usr/local/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server"
//===================
 
/log/secure/
==========================
Aug  7 18:54:34 prod sshd[2874]: Accepted password for testuser from 127.0.0.1 port 54519 ssh2
Aug  7 18:54:34 prod sshd[2877]: subsystem request for sftp
=======================
 
rssh.conf
==========================
# This is the default rssh config file
 
# set the log facility.  "LOG_USER" and "user" are equivalent.
logfacility = LOG_USER
 
# Leave these all commented out to make the default action for rssh to lock
# users out completely...
 
#allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync
 
# set the default umask
umask = 022
 
# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = "/usr/chroot"
 
//===================
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:

Select allOpen in new window

 

by: RBEIMSPosted on 2009-08-07 at 04:56:06ID: 25041733

"Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer"

This could be caused because there are not enough permissions to execute the sftp-server.
Look for the permissions of the sftp-server binary inside your chroot jail. Also have a look at the permissions of the directory that the sftp-server binary is contained in.

 

by: teamsunarcPosted on 2009-08-07 at 09:52:37ID: 25044737

Hello,

As I am using rssh now. I am yet not able to connect through sftp at my server machine but yes i am able to do that at my local machine .Server machine show just "connection closed" error. I have also seen the log but there is no any error message.

I have attached two files first one for sftp as testuser with chrooting  that generates error and second for sftp as root without chrooting.


Please let me know How can I troubleshoot this error.


Thanks!



// sftp -vv testuser@serverIP
===================================
Connecting to IP Addess...
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to IP Addess [IP Addess] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 112/256
debug2: bits set: 511/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'IP Addess' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 499/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found
 
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found
 
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found
 
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
testuser@IP Addess's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1
Connection closed
==================================
 
// sftp -vv root@IP Address
===================================
Connecting to IP Address...
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to IP Address [IP Address] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 144/256
debug2: bits set: 515/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'IP Address' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 504/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found
 
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found
 
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found
 
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
root@IP Address's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug2: Remote version: 3
==================================

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:

Select allOpen in new window

 

by: RBEIMSPosted on 2009-08-07 at 10:27:53ID: 25045065

OK, so the first user will be chrooted to your jail, while the root user is not. I think that there is something missing inside the jail.
As already mentioned, you have to have all the tools and libs necessary for the correct functionality of sftp / rssh inside the jail. There is no way that any file outside the jail will be accessed, so if anything is missing, the connection will fail.

 

by: teamsunarcPosted on 2009-08-08 at 01:29:42ID: 31611863

There was no exact solution given. I had to do more R&D for this but yes it guided to me.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...