Re: sftp-server logging under chroot & privilege separation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Lars:

Thanks for the info....  we are running this on Solaris 9.

We are trying to stand up an OpenSSH SFTP server to integrate with our B2B 
message hub.  The Solaris SSH does not give us the flexibility we want to 
run it.

The other problem we are having is that since we are an 'application 
group', we are at the direction of the sys admins & corporate security for 
how we need to implement this.

As for your points below:
==================

==> chrooting is being achieved via sshd_config

+ turn off the SUID root - there is a way around whatever it was using 
sudoer
     ==> setuid is the only way we can get this to work
     ==> this is being run under a 'generic' application ID - NOT ROOT
+ check that you have created a socket named /dev/log in the chroot 
hierarchy
     ==> I think this is my problem - I'll have to research this!!!
+ check that syslogd, syslog-ng, or whathaveyou is using that socket
     ==> we are using syslog -> root  5621     1  0   May 12 ?       66:05 
/usr/sbin/syslogd


Thanks


Kevin J. Herman
Sr. Systems Analyst
EBMX [Electronic Business Message eXchange]
ITM - Procurement Systems

T/L 776-6793
O/L (248)576-6793
FAX (248)576-2185

CTC E3000-3S2E8
CIMS 483-01-19
LOC/DEPT: 1100-1721




Lars Nooden <lars.curator@xxxxxxxxx> 
Sent by: listbounce@xxxxxxxxxxxxxxxxx
03/08/2010 05:46 PM

To
secureshell@xxxxxxxxxxxxxxxxx
cc

Subject
Re: sftp-server logging under chroot & privilege separation






On 2010-3-8 7:53 PM, kjh26@xxxxxxxxxxxx wrote:
> We are using OpenSSH 5.3p1.
> 
> We are using this to host an SFTP drop-box.  We have implemented chroot 
& 
> privilege separation.
> ... Any ideas?

Assuming the chroot is done via sshd_config and not the old way, here
are some things to look at:

+ turn off the SUID root - there is a way around whatever it was using
sudoer,
+ check that you have created a socket named /dev/log in the chroot
hierarchy,
+ check that syslogd, syslog-ng, or whathaveyou is using that socket,
+ check that the partition where the chroot directory resides is not
mounted with the nodev option.

                 "The ChrootDirectory must contain the necessary files
                 and directories to support the user's session  ...
                 sessions which use logging do require /dev/log inside
                 the chroot directory

                 http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config


                 "Use of sftp-server in a chroot configuration therefore
                 requires that syslogd(8) establish a logging socket
                 inside the chroot directory.

                 http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server

Is that on Solaris, AIX, BSD or Linux?

Regards,
/Lars
 


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux