[prev in list] [next in list] [prev in thread] [next in thread]
List: rssh-discuss
Subject: sftp on AIX 5.3
From: Kurt Telep <kwtelep () us ! ibm ! com>
Date: 2006-06-09 16:09:12
Message-ID: OFEE11B2C1.A2A348E8-ON85257188.0057E138-85257188.0058BA85 () us ! ibm ! com
[Download RAW message or body]
This is a multipart message in MIME format.
This is a multipart message in MIME format.
--=_alternative 0058BA8385257188_=
Content-Type: text/plain; charset="US-ASCII"
I've been workign on getting rssh jails working on AIX 5.3 for the past
couple hours, and have been about 1/2 way successful, but I think I need a
little bit of a push to get over the last hump.
I cannot get the sftp to work in the jail, Here's the debug output, it
looks like rssh_chroot_helper is getting called correctly, but sftp just
doens't want to run, I get the standard "Connection Closed" when I try to
sftp in.....
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
channel 0: new [server-session]
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_new: init
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_new: session 0
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_open: channel 0
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_open: session 0: link with channel 0
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
server_input_channel_open: confirm session
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
server_input_channel_req: channel 0 request subsystem reply 1
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_by_channel: session 0 channel 0
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_input_channel_req: session 0 req subsystem
Jun 9 11:08:16 vq2ua412 auth|security:info sshd[1249436]: subsystem
request for sftp
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
subsystem: exec() /usr/libexec/sftp-server
Jun 9 11:08:16 vq2ua412 daemon:info rssh[1400886]: setting log facility
to LOG_USER
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: allowing scp to all
users
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: allowing sftp to all
users
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: line 28: configuring
user testuser
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: setting testuser's umask
to 022
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: allowing scp to user
testuser
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: allowing sftp to user
testuser
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: chrooting testuser to
/xref
Jun 9 11:08:16 vq2ua412 user:info rssh[1400886]: chroot cmd line:
/usr/local/libexec/rssh_chroot_helper 2 "/usr/libexec/sftp-server"
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
Received SIGCHLD.
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_by_pid: pid 1400886
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_exit_message: session 0 channel 0 pid 1400886
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_exit_message: release channel 0
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
session_close: session 0 pid 1400886
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
channel 0: free: server-session, nchannels 1
Jun 9 11:08:16 vq2ua412 auth|security:info sshd[1249436]: Connection
closed by 127.0.0.1
Jun 9 11:08:16 vq2ua412 auth|security:debug sshd[1249436]: debug1:
do_cleanup
Jun 9 11:08:16 vq2ua412 auth|security:info sshd[1249436]: Closing
connection to 127.0.0.1
Here's what I've done to get SCP working properly in the jail for any
other AIX 5.3 users out there.
1. ./configure --bindir=/usr/bin --sysconfdir=/etc/rssh
--with-sftp-server=/usr/libexec/sftp-server
2. Remove the following two lines from config.h
/* Define to rpl_malloc if the replacement function should be used. */
#define malloc rpl_malloc
3. make && make install
rssh -v output:
rssh 2.3.2
Copyright 2002-5 Derek D. Martin <rssh-discuss at lists dot sourceforge
dot net>
rssh config file = /etc/rssh/rssh.conf
chroot helper path = /usr/local/libexec/rssh_chroot_helper
scp binary path = /usr/bin/scp
sftp server binary = /usr/libexec/sftp-server
cvs binary path = /usr/bin/cvs
rdist binary path = /usr/bin/rdist
rsync binary path = /opt/freeware/bin/rsync
4. Add /usr/bin/rssh to the shells line of /etc/security/login.cfg
5. Copy the following files into the Jail environment (in my case /xref)
/etc/passwd
/opt/freeware/lib/libcrypto.a
/usr/bin/ksh93
/usr/bin/scp
/usr/lib/libc.a
/usr/lib/libcrypt.a
/usr/lib/security/methods.cfg # This one was key to fixing scp not
finding the user, since we don't use LDAP here the libnss trick won't
work.
/usr/libexec/sftp-server
/usr/local/libexec/rssh_chroot_helper
Kurt Telep
IBM Applications on Demand
AIX Production Support
Office: 215-853-8544
Cell: 267-446-1815
--=_alternative 0058BA8385257188_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">I've been workign on getting rssh jails
working on AIX 5.3 for the past couple hours, and have been about 1/2 way
successful, but I think I need a little bit of a push to get over the last
hump.</font>
<br>
<br><font size=2 face="sans-serif">I cannot get the sftp to work in the
jail, Here's the debug output, it looks like rssh_chroot_helper is getting
called correctly, but sftp just doens't want to run, I get the standard
"Connection Closed" when I try to sftp in.....</font>
<br>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: channel 0: new [server-session]</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_new: init</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_new: session 0</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_open: channel 0</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_open: session 0: link with channel 0</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: server_input_channel_open: confirm session</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: server_input_channel_req: channel 0 request subsystem
reply 1</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_by_channel: session 0 channel 0</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_input_channel_req: session 0 req subsystem</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:info
sshd[1249436]: subsystem request for sftp</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: subsystem: exec() /usr/libexec/sftp-server</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 daemon:info
rssh[1400886]: setting log facility to LOG_USER</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: allowing scp to all users</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: allowing sftp to all users</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: line 28: configuring user testuser</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: setting testuser's umask to 022</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: allowing scp to user testuser</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: allowing sftp to user testuser</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: chrooting testuser to /xref</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 user:info
rssh[1400886]: chroot cmd line: /usr/local/libexec/rssh_chroot_helper 2
"/usr/libexec/sftp-server"</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: Received SIGCHLD.</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_by_pid: pid 1400886</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_exit_message: session 0 channel 0 pid 1400886</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_exit_message: release channel 0</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: session_close: session 0 pid 1400886</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: channel 0: free: server-session, nchannels 1</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:info
sshd[1249436]: Connection closed by 127.0.0.1</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:debug
sshd[1249436]: debug1: do_cleanup</font>
<br><font size=2 face="sans-serif">Jun 9 11:08:16 vq2ua412 auth|security:info
sshd[1249436]: Closing connection to 127.0.0.1</font>
<br>
<br>
<br><font size=2 face="sans-serif">Here's what I've done to get SCP working
properly in the jail for any other AIX 5.3 users out there.</font>
<br>
<br><font size=2 face="sans-serif">1. ./configure --bindir=/usr/bin
--sysconfdir=/etc/rssh --with-sftp-server=/usr/libexec/sftp-server</font>
<br>
<br><font size=2 face="sans-serif">2. Remove the following two lines
from config.h</font>
<br>
<br><font size=2 face="sans-serif">/* Define to rpl_malloc if the replacement
function should be used. */</font>
<br><font size=2 face="sans-serif">#define malloc rpl_malloc</font>
<br>
<br><font size=2 face="sans-serif">3. make && make install</font>
<br>
<br><font size=2 face="sans-serif">rssh -v output:</font>
<br>
<br><font size=2 face="sans-serif">rssh 2.3.2</font>
<br><font size=2 face="sans-serif">Copyright 2002-5 Derek D. Martin <rssh-discuss
at lists dot sourceforge dot net></font>
<br>
<br><font size=2 face="sans-serif"> rssh config file = \
/etc/rssh/rssh.conf</font> <br><font size=2 face="sans-serif"> chroot helper \
path = /usr/local/libexec/rssh_chroot_helper</font> <br><font size=2 \
face="sans-serif"> scp binary path = /usr/bin/scp</font>
<br><font size=2 face="sans-serif"> sftp server binary = \
/usr/libexec/sftp-server</font> <br><font size=2 face="sans-serif"> \
cvs binary path = /usr/bin/cvs</font>
<br><font size=2 face="sans-serif"> rdist binary path = \
/usr/bin/rdist</font> <br><font size=2 face="sans-serif"> rsync binary \
path = /opt/freeware/bin/rsync</font> <br>
<br><font size=2 face="sans-serif">4. Add /usr/bin/rssh to the shells
line of /etc/security/login.cfg</font>
<br>
<br><font size=2 face="sans-serif">5. Copy the following files into
the Jail environment (in my case /xref)</font>
<br><font size=2 face="sans-serif">/etc/passwd</font>
<br><font size=2 face="sans-serif">/opt/freeware/lib/libcrypto.a</font>
<br><font size=2 face="sans-serif">/usr/bin/ksh93</font>
<br><font size=2 face="sans-serif">/usr/bin/scp</font>
<br><font size=2 face="sans-serif">/usr/lib/libc.a</font>
<br><font size=2 face="sans-serif">/usr/lib/libcrypt.a</font>
<br><font size=2 face="sans-serif">/usr/lib/security/methods.cfg
# This one was key to fixing scp not finding the user, since we don't
use LDAP here the libnss trick won't work.</font>
<br><font size=2 face="sans-serif">/usr/libexec/sftp-server</font>
<br><font size=2 face="sans-serif">/usr/local/libexec/rssh_chroot_helper</font>
<br>
<br><font size=2 face="sans-serif">Kurt Telep<br>
IBM Applications on Demand<br>
AIX Production Support<br>
Office: 215-853-8544<br>
Cell: 267-446-1815</font>
--=_alternative 0058BA8385257188_=--
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic