On Fri, Jul 21, 2006 at 03:06:10PM +0800, Matt Johnston wrote: > On Fri, Jul 21, 2006 at 06:57:30PM +1200, Karl. wrote: > > I've recently been setting up a rssh chroot for securely 'sharing' some > > files via sftp - it's working fine with openssh, but I haven't yet got > > it going with dropbear. > > I can't think of any intrinsic reason why it shouldn't work > though I haven't looked that closely at how rssh works. > Does it fail with a particular error message? OK. After the encouragement of being told it should work, I managed to find the problem while gathering the documentation for my "Why doesn't it work?" email :-)
Here's the relevant info: Right now I'm running a dropbear server on one port and an openssh one on another port. Both are nonstandard port numbers. Both daemons are working for ssh shell logins. I only allow public key auth, with the relevant key loaded into ssh-agent. Running Debian Testing with dropbear 0.48.1-1 and openssh 1:4.3p2-2 ==== on the openssh port: $ sftp -o Port=44444 [EMAIL PROTECTED] Connecting to 192.168.1.6... sftp> ==== on the dropbear port: $ sftp -o Port=33333 [EMAIL PROTECTED] Connecting to 192.168.1.6... This account is restricted by rssh. Allowed commands: sftp If you believe this is in error, please contact your system administrator. Connection closed ==== syslog for openssh attempt shows: Jul 27 16:02:06 localhost rssh[5305]: setting log facility to LOG_USER Jul 27 16:02:06 localhost rssh[5305]: allowing sftp to all users Jul 27 16:02:06 localhost rssh[5305]: setting umask to 022 Jul 27 16:02:06 localhost rssh[5305]: chrooting all users to /home/chroot Jul 27 16:02:06 localhost rssh[5305]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server" Jul 27 16:02:06 localhost rssh_chroot_helper[5305]: new session for lsa, UID=1023 Jul 27 16:02:06 localhost rssh_chroot_helper[5305]: user's home dir is /home/chroot/lsa Jul 27 16:02:06 localhost rssh_chroot_helper[5305]: chrooted to /home/chroot Jul 27 16:02:07 localhost rssh_chroot_helper[5305]: changing working directory to /lsa (inside jail) ==== syslog for dropbear attempt shows: Jul 27 16:03:53 localhost rssh[6017]: setting log facility to LOG_USER Jul 27 16:03:53 localhost rssh[6017]: allowing sftp to all users Jul 27 16:03:53 localhost rssh[6017]: setting umask to 022 Jul 27 16:03:54 localhost rssh[6017]: chrooting all users to /home/chroot Jul 27 16:03:54 localhost rssh[6017]: user lsa attempted to execute forbidden commands Jul 27 16:03:54 localhost rssh[6017]: command: /usr/lib/sftp-server ==== Paying attention to the logs, I see that dropbear is trying to call the sftp-server at usr/lib/ whilst openssh is calling it at usr/lib/openssh/ - one is symlinked to the other, and that would be fine in normal circumstance, but obviously it's not going to be acceptable to rssh! Changing my sftp invocation to specify the rssh-compliant path yields the happy result: $ sftp -o Port=33333 -s /usr/lib/openssh/sftp-server [EMAIL PROTECTED] Connecting to 192.168.1.6... sftp> So, I can connect from the command-line now. :-) The remaining problem is when I try to connect using WinSCP or Tunnelier (the main purpose of this rssh chroot is to allow restricted access for an untrusted Windows box) - these gui tools don't allow me to specify a path for sftp-server. I imagine I will need to recompile dropbear with the altered path - I have a faint recollection of reading something about Debian having changed some openssh paths as part of the packaging setup. Thank you, Matt, for your encouragement and for writing dropbear :-) Karl.
