Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[Solved] SSH jail
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Nreal
Apprentice
Apprentice


Joined: 06 Jan 2009
Posts: 268
PostPosted: Sat Jan 20, 2024 5:09 pm    Post subject: [Solved] SSH jail Reply with quote
Jail user cannot use gftp or map directory with caja or thunar without

Code:
 ChrootDirectory /home/chroot/home/chroot
ForceCommand internal-sftp


But
Code:
ForceCommand internal-sftp
prevents everyone to login with ssh.

Without
Code:
ForceCommand internal-sftp
jail user can also login with ssh,
but cannot use graphical tool like gftp or..

So how can I enable both for ssh jail user?

Last edited by Nreal on Sat Jan 20, 2024 6:52 pm; edited 3 times in total
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 21842
PostPosted: Sat Jan 20, 2024 5:48 pm    Post subject: Reply with quote
Could you explain the intended scenarios more clearly? For each of these combinations, what should happen?
  • jail-user ssh machine: expect fail, yes?
  • jail-user sftp machine: expect succeed?
  • jail-user thunar sftp://machine: expect succeed, or do not care?
  • normal-user ssh machine: expect succeed?
  • normal-user sftp machine: expect succeed?
Assuming all that is correct, then with the exception of Thunar (on which I cannot comment), it looks like using ForceCommand internal-sftp inside Match User jail-user ought to do what you want.
Back to top
View user's profile Send private message
Nreal
Apprentice
Apprentice


Joined: 06 Jan 2009
Posts: 268
PostPosted: Sat Jan 20, 2024 5:54 pm    Post subject: Reply with quote
Hu wrote:
Could you explain the intended scenarios more clearly? For each of these combinations, what should happen?
  • jail-user ssh machine: expect fail, yes?
  • jail-user sftp machine: expect succeed?
  • jail-user thunar sftp://machine: expect succeed, or do not care?
  • normal-user ssh machine: expect succeed?
  • normal-user sftp machine: expect succeed?
Assuming all that is correct, then with the exception of Thunar (on which I cannot comment), it looks like using ForceCommand internal-sftp inside Match User jail-user ought to do what you want.


But Match User jail-user does not work as PAM prevents it?

I have this in /etc/ssh/sshd_config.d/9999999gentoo-pam.conf

Code:
UsePAM yes
# This interferes with PAM.
PasswordAuthentication yes
# PAM can do its own handling of MOTD.
PrintMotd yes
PrintLastLog yes


But it does not work, what I am doing wrong?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 21842
PostPosted: Sat Jan 20, 2024 6:00 pm    Post subject: Reply with quote
You are not showing your full configuration, nor explaining your goal in enough detail. I see nothing in man sshd_config that would support the idea that you cannot use PAM in an sshd that matches specific users.
Back to top
View user's profile Send private message
Nreal
Apprentice
Apprentice


Joined: 06 Jan 2009
Posts: 268
PostPosted: Sat Jan 20, 2024 6:06 pm    Post subject: Reply with quote
Hu wrote:
You are not showing your full configuration, nor explaining your goal in enough detail. I see nothing in man sshd_config that would support the idea that you cannot use PAM in an sshd that matches specific users.


Code:
# override default of no subsystems
Subsystem       sftp    /usr/lib64/misc/sftp-server

Match User [liukka]
ChrootDirectory /home/chroot/home/chroot
ForceCommand internal-sftp
 

Code:
jimms /home/markus # /etc/init.d/sshd reload
/etc/ssh/sshd_config.d/9999999gentoo-pam.conf line 1: Directive 'UsePAM' is not allowed within a Match block
jimms /home/markus #
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 21842
PostPosted: Sat Jan 20, 2024 6:25 pm    Post subject: Reply with quote
Yes, you cannot use UsePAM inside a Match block. Do not do that. Put your Match block after the UsePAM directive.

You could also try Match All, but I am unclear from the documentation whether that counts as not being in a match block for this purpose.
Back to top
View user's profile Send private message
Nreal
Apprentice
Apprentice


Joined: 06 Jan 2009
Posts: 268
PostPosted: Sat Jan 20, 2024 6:31 pm    Post subject: Reply with quote
Hu wrote:
Yes, you cannot use UsePAM inside a Match block. Do not do that. Put your Match block after the UsePAM directive.

You could also try Match All, but I am unclear from the documentation whether that counts as not being in a match block for this purpose.


Yes that was it, moved it below
Quote:
Include "/etc/ssh/sshd_config.d/*.conf"
and now it reloads sshd, but cannot use caja to map drive with that Matched user...

Actually, now it works, after commenting out
Quote:
#ForceCommand internal-sftp


Thank you, this works now.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy