I'm stuck on something quite complicated it seems, but I'm pretty sure I'm not the first one to face this problem, still I can't seem to find someone having the same problem on any forum.
As said in the title I want to make a chroot for users that works with SSH and SFTP. I'm currently stuck with one or the other and that's not ok with me.
Following tutorials, I modified the sshd_config file and added this line as suggested:
ForceCommand internal-sftp
That allows me to connect when using a linux terminal but it's a bit tricky for windows user using putty even if it seems you can use it with psftp. But you can't use all the commands you put inside the jail env.
Does anyone has already figure this one out?
As stated before my chroot is working, so it's not really a configuration issue.
Finally I found a solution reading another tutorial.
If anyone is troubled with this another time, in sshd_config, most tutorial juste leave the subsystem line in the file by default.
To resolve my issue I just did this:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
That did the work and I can now access my server in SSH and SFTP with the chrooted accounts.
It's always just after you post on a forum that you find a solution.
Have a good day everyone.
Related
I'm managing a Rails website that relies on MySQL tables. I used to be able to access the tables with Webmin by going to xxx.xxx.xxx.xxx:10000 . At some point, I lost the ability to access it this way.
I'm not great with SSH, but I was able to SSH into my website as a general user. Then, I switched to Root user. Then, I ran this command to restart my Webmin:
svcadm restart webmin
It seemed to accept the command, but I'm not really sure how to check. Anyway, I started getting a new error message when I tried to access Webmin through my browser:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The website uses a connection with Cloudflare. My guess was that this could be the problem since Cloudflare doesn’t support port 10000. I tried deactivating Cloudflare, but it didn't resolve the problem.
Still, I figured I might need to use SSH to change the port for Webmin access just in case. I found a source that suggested how to do it, and it starts with SSH. I went in through SSH and I switched to Root user. Then, I ran this command:
/etc/webmin/miniserv.conf
And it tells me
bash /etc/webmin/miniserv.conf Permission denied
How can I get past this step? Am I headed the wrong direction to get access back to Webmin? Thank you!
Ideally, of course, I'd like Ansible to completely take care of this.
If this is not possible (why?!), then, at least, I want to be able to extract ~/.ssh/config contents into some other format and then make Ansible feed this to Paramiko. I am sure I'm not the first one faced with this task, so what's the accepted way of doing this?
I need this in order to use authorized_keys module to turn on passwordless authentication.
Btw, I wish Ansible emitted some warning when falling back to non-default backend (like Paramiko). I lost a couple of hours yesterday and actually had to download Ansible sources to figure out why perfectly running Ansible command suddenly stopped running when adding -k / --ask-pass option (yes, I am completely new to Ansible).
You can define this configuration in the Ansible configuration ini file or environment variables -- specifically the section for ANSIBLE_SSH_ARGS.
Given:
Connection to the Uni's secure shell like this:
me#my_computer~$ ssh <my_name>#unixyz.cs.xy.com
Password:***********
Welcome to Unixyz. You now can access a terminal on system unixyz:
my_name#unixyz~$ ls
Desktop Documents Pictures Music desired_document.pdf
my_name#unixyz-$
Taks/Question:
Getting the desired_document.pdf to my own system. I have thought of some options so far:
1)Since i can access an editor like nano I could write a C/Java programm , compile it in the home directory and make that program send the pdf. Problem with that: Had to code a client on the Uni machine and a server on my own system. On top of that I only know how to transfer text given to the stdin and no pdf's. And its obviously too much work for the given task
2) I found some vague information about commands: scp and sftp. Unfortunately, I can not figure out how it is done exactly.
The latter is basicly my questions: Are the commands scp and sftp valid options for doing the desired and how are they used?
EDIT:
I received a first answer and the problem persists: As stated, i use:
scp me# server.cs.xyz.com:/path/topdf /some/local/dir
which gives me:
/some/local/dir: no such file or directory
I'm not sure in which environment you are.
Do you use Linux or Windows as your every-day operating system?
If you are using windows, there are some ui-based scp/ssh implementations that enable you to transfer these files using an explorer based ui.
For example there is https://winscp.net/
You can indeed use scp to do exacty that, and it's easier than it might look:
scp your_username# unixyz.cs.xy.com:path/to/desired_document.pdf /some/local/dir
The key is the colon after the servername where you add your path
Optionally you can pass in the password as well, but that's bad practice, for obvious reasons.
I actually got the answer myself and the error that I was having. Both, the guy with the answer and the commentor where right. BUT:
scp must be launched when you are in YOUR terminal, I always tried to do it while I was connected to the remote server.
2 hours wasted because of that.
I would need some advice for those who want to help :
I have a linux server, and I want to provide an ssh (openssh) access to services like rsync, and sftp, for a specific user (extuser).
1) I'd like to restrict extuser to only process rsync or sftp, no other commands
2) extuser needs to read/write some specific directories, so I want to restrict what he can see and where he can write.
3) I'd read some about rbash or lshell, but i wanted to know if by "basic" configuration of openssh, without adding specific tools, i could manage it ?
Here is my reflexion (not very far, sorry)
For the 1) If i had only rsync to deal with, i've seen the rrsync script that is really helpfull :) But how to add the sftp restriction ? I've read about the "command=" in authorized_keygen and the use of variable SSH_ORIGINAL_COMMAND, but not sure if it is mainly dedicated for ssh command explicitely used (i.e ssh user#host "mycommand"), not for command that "internally" use ssh like rsync or sftp ?
For the 2), I think the chroot option for sftp will help
If you have any advices, remarks, are if you see i'm going in wrong way, i'd apreciate some returns :)
Thanks a lot :)
Ok, so it appears that the chroot can fullfill all the needs, since it's up to me to choose the commands i want to allow in the "chrooted" bin :)
So no commands restrictions by openssh configuration, but by chroot arborescence. And therefore i don't seem to need extra tools :)
So I have managed it. I can clone mercurial-repositories remotely using HTTP to my Windows Server 2003 machine and the ipaddress from that machine. Although I did deactivate IIS6 and am using Apache 2.2.x now. But not all works right now...darn! Here's the thing:
Cloning goes smooth! But when I want to push my changes to the original repository I get the message "cannot lock static http-repository". On the internet I get to read several explanations that Mercurial wasn't designed to push over HTTP connections. Still, on the Mercurial website there's something about configuring an hgrc file.
There's also the possibilty to configure Apache to host via HTTPS (or SSL). For this you have to load the module enabling OpenSSL and generating keys.
Configuring the hgrc file
Just add "push_ssl = false" under the [web] line. But where to put this file when pushing your changes back?! Because I placed it in the root of the server, in the ".hg" directory, nothing works.
Using SSL/HTTPS with Apache
When I try to access 'https://myipaddress' it fails, displaying a dutch message which would mean something like "server taking too long to respond". Trying to push also gives me a dutch error message which means about the same. It can not connect to my server via https although I followed the steps exactly at this blog.
I don't care which of the above solutions will work for me. Turns out none of them work so far. So please, can anyone help me with one of the solutions above? Pick the easiest! Help will be greatly appreciated, not only from me.
Summary
-Windows Server 2003
-Apache 2.2 with OpenSSL
-Mercurial 1.8.2
-I can clone, but not push!
Thank you!
Maarten Baar(s)
It seems like you might have apache configured incorrectly for getting it to do what you want. Based on your question it sounds like you have a path (maybe the root of the server) pointing to the repository you want to serve.
Mercurial comes with a script for this exact purpose, in the latest version it is hgweb.cgi. There are reasonably good instructions for setting it up on the mercurial site. It should allow both cloning and pushing. You will need the push_ssl=false if you will not be configuring https and also an allow_push line which will let certain users, or all (*) push to the repository. But all that should be part of the setup docs.