Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

internal-sftp only without ssh and scp hanging

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


surgpm at gmail

Oct 23, 2009, 5:55 AM

Post #1 of 4 (332 views)
Permalink
internal-sftp only without ssh and scp hanging
I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh
chroot functionality).

i.e.
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

So far everything works correctly with sftp but when a user ssh's or
scp's to the box the login hangs after authentication.
Is there anyway to get sshd to close the connection instead of just hanging?

My question is the same as this post which was never answered:
http://marc.info/?l=openssh-unix-dev&m=124492525712723&w=2

Thanks
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev[at]mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


aris.adamantiadis at belnet

Oct 23, 2009, 6:07 AM

Post #2 of 4 (315 views)
Permalink
Re: internal-sftp only without ssh and scp hanging [In reply to]
Hello, I suggest

Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand "echo no external login allowed"
Subsystem sftp internal-sftp

Since I don't see an obvious way of denying a request-shell or a
request-exec query. I'm not 100% sure it's going to work.
Don't forget AllowTcpForwarding no if this is relevant.

Aris

Paul Surgeon a écrit :
> I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh
> chroot functionality).
>
> i.e.
> Subsystem sftp internal-sftp
> Match group sftpusers
> ChrootDirectory /chroot/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>
> So far everything works correctly with sftp but when a user ssh's or
> scp's to the box the login hangs after authentication.
> Is there anyway to get sshd to close the connection instead of just hanging?
>
> My question is the same as this post which was never answered:
> http://marc.info/?l=openssh-unix-dev&m=124492525712723&w=2
>
> Thanks
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev[at]mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev[at]mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

Oct 23, 2009, 10:07 AM

Post #3 of 4 (315 views)
Permalink
Re: internal-sftp only without ssh and scp hanging [In reply to]
Paul Surgeon wrote:
> i.e.
> Subsystem sftp internal-sftp
> Match group sftpusers
> ChrootDirectory /chroot/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>
> So far everything works correctly with sftp but when a user ssh's
> or scp's to the box the login hangs after authentication.

Hm. I guess internal-sftp is used as shell for whatever ssh and scp
want to execute. Maybe that looks just like a legitimate start of
internal-sftp, then I think the forcecommand echo idea is better.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev[at]mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dtucker at zip

Oct 23, 2009, 12:28 PM

Post #4 of 4 (312 views)
Permalink
Re: internal-sftp only without ssh and scp hanging [In reply to]
Paul Surgeon wrote:
> I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh
> chroot functionality).
[...]
> So far everything works correctly with sftp but when a user ssh's or
> scp's to the box the login hangs after authentication.
> Is there anyway to get sshd to close the connection instead of just hanging?

Funny you should ask that. Damien wrote a patch for that yesterday:

https://bugzilla.mindrot.org/show_bug.cgi?id=1606

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev[at]mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.