Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

internal-sftp only without ssh and scp hanging

73 views
Skip to first unread message

Paul Surgeon

unread,
Oct 23, 2009, 8:55:05 AM10/23/09
to
I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh
chroot functionality).

i.e.
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

So far everything works correctly with sftp but when a user ssh's or
scp's to the box the login hangs after authentication.
Is there anyway to get sshd to close the connection instead of just hanging?

My question is the same as this post which was never answered:
http://marc.info/?l=openssh-unix-dev&m=124492525712723&w=2

Thanks
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Aris Adamantiadis

unread,
Oct 23, 2009, 9:07:59 AM10/23/09
to
Hello, I suggest

Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory /chroot/%u
X11Forwarding no
AllowTcpForwarding no

ForceCommand "echo no external login allowed"
Subsystem sftp internal-sftp

Since I don't see an obvious way of denying a request-shell or a
request-exec query. I'm not 100% sure it's going to work.
Don't forget AllowTcpForwarding no if this is relevant.

Aris

Paul Surgeon a écrit :

Peter Stuge

unread,
Oct 23, 2009, 1:07:10 PM10/23/09
to
Paul Surgeon wrote:
> i.e.
> Subsystem sftp internal-sftp
> Match group sftpusers
> ChrootDirectory /chroot/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>
> So far everything works correctly with sftp but when a user ssh's
> or scp's to the box the login hangs after authentication.

Hm. I guess internal-sftp is used as shell for whatever ssh and scp
want to execute. Maybe that looks just like a legitimate start of
internal-sftp, then I think the forcecommand echo idea is better.


//Peter

Darren Tucker

unread,
Oct 23, 2009, 3:28:54 PM10/23/09
to
Paul Surgeon wrote:
> I've configured OpenSSH_5.3p1 to only allow sftp connections (openssh
> chroot functionality).
[...]

> So far everything works correctly with sftp but when a user ssh's or
> scp's to the box the login hangs after authentication.
> Is there anyway to get sshd to close the connection instead of just hanging?

Funny you should ask that. Damien wrote a patch for that yesterday:

https://bugzilla.mindrot.org/show_bug.cgi?id=1606

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

0 new messages