I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh
chroot functionality).
i.e.
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So far everything works correctly with sftp but when a user ssh's or
scp's to the box the login hangs after authentication.
Is there anyway to get sshd to close the connection instead of just hanging?
My question is the same as this post which was never answered:
http://marc.info/?l=openssh-unix-dev&m=124492525712723&w=2
Thanks
Hello, I suggest
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand "echo no external login allowed"
Subsystem sftp internal-sftp
Since I don't see an obvious way of denying a request-shell or a
request-exec query. I'm not 100% sure it's going to work.
Don't forget AllowTcpForwarding no if this is relevant.
Aris
Paul Surgeon a ?crit :> I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh
> chroot functionality).
>
> i.e.
> Subsystem sftp internal-sftp
> Match group sftpusers
> ChrootDirectory /chroot/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>
> So far everything works correctly with sftp but when a user ssh's or
> scp's to the box the login hangs after authentication.
> Is there anyway to get sshd to close the connection instead of just
hanging?
>
> My question is the same as this post which was never answered:
> http://marc.info/?l=openssh-unix-dev&m=124492525712723&w=2
>
> Thanks
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
Paul Surgeon wrote:> i.e. > Subsystem sftp internal-sftp > Match group sftpusers > ChrootDirectory /chroot/%u > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > > So far everything works correctly with sftp but when a user ssh's > or scp's to the box the login hangs after authentication.Hm. I guess internal-sftp is used as shell for whatever ssh and scp want to execute. Maybe that looks just like a legitimate start of internal-sftp, then I think the forcecommand echo idea is better. //Peter
Paul Surgeon wrote:> I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh > chroot functionality).[...]> So far everything works correctly with sftp but when a user ssh's or > scp's to the box the login hangs after authentication. > Is there anyway to get sshd to close the connection instead of just hanging?Funny you should ask that. Damien wrote a patch for that yesterday: https://bugzilla.mindrot.org/show_bug.cgi?id=1606 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.