Just for the reference if you want to keep SELINUX enabled and create
a new instance of sshd (with the stock CentOS 5.4 sshd) with sftp only
you can do the following:
-create a copy of /etc/ssh/sshd_config e.g.
cp /etc/ssh/sshd_config /etc/ssh/sftpd_config
-chage /add the following lines in
On Thu, February 4, 2010 10:08, Marc Wiatrowski wrote:
Have you looked at using rssh as the users shell? You can limit the
user to a chroot sftp only. Its not stock, but ssh can then be.
http://dag.wieers.com/rpm/packages/rssh/
I looked at rssh briefly yesterday when someone suggested
James B. Byrne wrote:
snip
I am not sure what effect disabling SELinux support in SSH actually
has from a security standpoint. So, if anyone cares to enlighten me
on the the consequences I would like to know.
I was under the impression that sshd runs unconfined in the current CentOS?
On Thu, February 4, 2010 12:00, Ned Slider wrote:
I was under the impression that sshd runs unconfined in the current
CentOS?
$ ps axZ | grep sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 2766 ? Ss 0:00
/usr/sbin/sshd
For example, you don't need to change the ssh_port in
On Thu, February 4, 2010 05:28, Radu Radutiu wrote:
Just for the reference if you want to keep SELINUX enabled and
create a new instance of sshd (with the stock CentOS 5.4 sshd)
with sftp only you can do the following:
-create a copy of /etc/ssh/sshd_config e.g.
cp /etc/ssh/sshd_config
James B. Byrne wrote:
Note: I am digest subscriber so if you could copy me directly on any
reply to the list I would appreciate it very much.
snip
After a modest amount of research we decided that the
best answer was to use a more recent version of OpenSSH (5.3p1)that
supports chroot as
On Wed, February 3, 2010 09:48, Ned Slider wrote:
James B. Byrne wrote:
Note: I am digest subscriber so if you could copy me directly on
any reply to the list I would appreciate it very much.
snip
After a modest amount of research we decided that the
best answer was to use a more recent
On Wed, 2010-02-03 at 10:26 -0500, James B. Byrne wrote:
snip
So, I am left still seeking answers to my original questions.
1. Is it possible to mount the selinux filesystem twice on the same
host having different roots?
Mount --bind *before* the chroot environment is entered should do the
On Wed, Feb 3, 2010 at 9:26 AM, James B. Byrne byrn...@harte-lyne.cawrote:
On Wed, February 3, 2010 09:48, Ned Slider wrote:
James B. Byrne wrote:
Note: I am digest subscriber so if you could copy me directly on
any reply to the list I would appreciate it very much.
snip
After
Instead, might the use of SCP (instead of sftp subsystem) and a limited
shell be able to achieve your goal?
I found this when googling for limited shell:
http://lshell.ghantoos.org/
Look at the Use case.
There's also rbash, but on first glance lshell looks quite promising.
Kai
--
Get your web
James B. Byrne wrote:
snip
The new server software works fine for regular ssh/sftp users.
However, when logging on as a member of the chroot group we obtain
this error:
ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed
snip
# sestatus
SELinux
On Wed, 2010-02-03 at 14:48 +, Ned Slider wrote:
James B. Byrne wrote:
Note: I am digest subscriber so if you could copy me directly on any
reply to the list I would appreciate it very much.
snip
After a modest amount of research we decided that the
best answer was to use a
On Wed, February 3, 2010 12:02, Ned Slider wrote:
What happens if you enable SELinux, i.e, set it to enforcing? Do you
still see the same error message above?
I have rebuilt the thing without SELinux support and all seems to be
working now. Since, other than the sftp user, there are only
13 matches
Mail list logo
