|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
What I am trying to accomplish: * Chroot environment for file transfer isolation * Port forwarding on specific ports to allow vnc to be used under uids which are not allowed ssh access This provides an isolation between the interactive users and the file transfer users The problem: If ChrootDirectory is set for a given end user, port forwarding no longer works. The love letter from ssh is that it is "administratively prohibited". I tried using match blocks and specifying the port forwarding and ChrootDirectory in various combinations and still it does not work. The enduser experience: $ ssh -L5901:localhost:5901 ssh_host // In a separate window (just for clarity) $ vncviewer localhost:1 (or localhost:5901) // The ssh session returns the following: channel 3: open failed: administratively prohibited: open failed The system configuration: * /opt/sshjail is created to act as the file transfer depot * All ssh user accounts are in the same group, and that group has write permissions in /opt/sshjail * Accounts were created under which the vnc servers run. The are *not* in the same group as the ssh users. This prevents them from putting files in /opt/sshjail for later download. * The shell for the ssh users is a binary which simply goes to sleep for a period of time. A copy of this (static) is placed in /opt/sshjail/bin. Links for bash, csh, &c. are created in /opt/sshjail/bin to this binary. The sshd configuration: Port 22 Protocol 2 SyslogFacility AUTHPRIV LogLevel DEBUG1 PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys HostbasedAuthentication no IgnoreRhosts yes PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding no Compression delayed PermitTunnel no AllowUsers groucho chico harpo zeppo gummo #PermitOpen localhost:5901 localhost:5902 localhost:5903 localhost:5904 localhost:5905 localhost:5906 localhost:5907 localhost:5908 localhost:5909 localhost:5910 Subsystem sftp internal-sftp Match user groucho # ChrootDirectory /opt/sshjail AllowTcpForwarding yes PermitOpen localhost:5901 Match user chico ChrootDirectory /opt/sshjail Match user harpo ChrootDirectory /opt/sshjail Match user zeppo ChrootDirectory /opt/sshjail Match user gummo ChrootDirectory /opt/sshjail The environment: Openssh 5.2p1 (also tried 5.1p1) Redhat Enterprise Linux (rhel5u3) Not that it matters, but iptables and tcp wrappers are not used.
[Home] [Fedora Users] [Fedora Legacy] [Fedora Desktop] [Yosemite Photos] [Yosemite News] [Yosemite Campsites] [KDE Users] [Gnome Users]