View previous topic :: View next topic |
Author |
Message |
Nreal Apprentice
Joined: 06 Jan 2009 Posts: 268
|
Posted: Sat Jan 20, 2024 5:09 pm Post subject: [Solved] SSH jail |
|
|
Jail user cannot use gftp or map directory with caja or thunar without
Code: | ChrootDirectory /home/chroot/home/chroot
ForceCommand internal-sftp
|
But Code: | ForceCommand internal-sftp | prevents everyone to login with ssh.
Without Code: | ForceCommand internal-sftp | jail user can also login with ssh,
but cannot use graphical tool like gftp or..
So how can I enable both for ssh jail user?
Last edited by Nreal on Sat Jan 20, 2024 6:52 pm; edited 3 times in total |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21856
|
Posted: Sat Jan 20, 2024 5:48 pm Post subject: |
|
|
Could you explain the intended scenarios more clearly? For each of these combinations, what should happen?- jail-user ssh machine: expect fail, yes?
- jail-user sftp machine: expect succeed?
- jail-user thunar sftp://machine: expect succeed, or do not care?
- normal-user ssh machine: expect succeed?
- normal-user sftp machine: expect succeed?
Assuming all that is correct, then with the exception of Thunar (on which I cannot comment), it looks like using ForceCommand internal-sftp inside Match User jail-user ought to do what you want. |
|
Back to top |
|
|
Nreal Apprentice
Joined: 06 Jan 2009 Posts: 268
|
Posted: Sat Jan 20, 2024 5:54 pm Post subject: |
|
|
Hu wrote: | Could you explain the intended scenarios more clearly? For each of these combinations, what should happen?- jail-user ssh machine: expect fail, yes?
- jail-user sftp machine: expect succeed?
- jail-user thunar sftp://machine: expect succeed, or do not care?
- normal-user ssh machine: expect succeed?
- normal-user sftp machine: expect succeed?
Assuming all that is correct, then with the exception of Thunar (on which I cannot comment), it looks like using ForceCommand internal-sftp inside Match User jail-user ought to do what you want. |
But Match User jail-user does not work as PAM prevents it?
I have this in /etc/ssh/sshd_config.d/9999999gentoo-pam.conf
Code: | UsePAM yes
# This interferes with PAM.
PasswordAuthentication yes
# PAM can do its own handling of MOTD.
PrintMotd yes
PrintLastLog yes
|
But it does not work, what I am doing wrong? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21856
|
Posted: Sat Jan 20, 2024 6:00 pm Post subject: |
|
|
You are not showing your full configuration, nor explaining your goal in enough detail. I see nothing in man sshd_config that would support the idea that you cannot use PAM in an sshd that matches specific users. |
|
Back to top |
|
|
Nreal Apprentice
Joined: 06 Jan 2009 Posts: 268
|
Posted: Sat Jan 20, 2024 6:06 pm Post subject: |
|
|
Hu wrote: | You are not showing your full configuration, nor explaining your goal in enough detail. I see nothing in man sshd_config that would support the idea that you cannot use PAM in an sshd that matches specific users. |
Code: | # override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
Match User [liukka]
ChrootDirectory /home/chroot/home/chroot
ForceCommand internal-sftp
|
Code: | jimms /home/markus # /etc/init.d/sshd reload
/etc/ssh/sshd_config.d/9999999gentoo-pam.conf line 1: Directive 'UsePAM' is not allowed within a Match block
jimms /home/markus #
|
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21856
|
Posted: Sat Jan 20, 2024 6:25 pm Post subject: |
|
|
Yes, you cannot use UsePAM inside a Match block. Do not do that. Put your Match block after the UsePAM directive.
You could also try Match All, but I am unclear from the documentation whether that counts as not being in a match block for this purpose. |
|
Back to top |
|
|
Nreal Apprentice
Joined: 06 Jan 2009 Posts: 268
|
Posted: Sat Jan 20, 2024 6:31 pm Post subject: |
|
|
Hu wrote: | Yes, you cannot use UsePAM inside a Match block. Do not do that. Put your Match block after the UsePAM directive.
You could also try Match All, but I am unclear from the documentation whether that counts as not being in a match block for this purpose. |
Yes that was it, moved it below Quote: | Include "/etc/ssh/sshd_config.d/*.conf" | and now it reloads sshd, but cannot use caja to map drive with that Matched user...
Actually, now it works, after commenting out Quote: | #ForceCommand internal-sftp
|
Thank you, this works now. |
|
Back to top |
|
|
|