1 Topic by Elkaz

(1 replies, posted in Configuration)

Hello, teka.

I installed MSS to another server.
All configuration set by default. But again I wanna group of superusers with full access and can't configure it.

sftp_config:

<Default>
    GlobalDownload        50k    #total speed download for all clients
                    # o -> bytes   k -> kilo bytes   m -> mega bytes
    GlobalUpload        0    #total speed download for all clients (0 for unlimited)
    Download         5k    #limit speed download for each connection
    Upload             0    #unlimit speed upload for each connection
    StayAtHome        true    #limit client to his home
    VirtualChroot        true    #fake a chroot to the home account
    LimitConnection        100    #max connection for the server sftp
    LimitConnectionByUser    5    #max connection for the account
    LimitConnectionByIP    20    #max connection by ip for the account
    Home            /home/$USER    #overrite home of the user but if you want you can use
                        #    environment variable (ie: Home /home/$USER)
    IdleTimeOut        5m    #(in second) deconnect client is idle too long time
    ResolveIP        true    #resolve ip to dns
#    IgnoreHidden        true    #treat all hidden files as if they don't exist
#    DirFakeUser        true    #Hide real file/directory owner (just change displayed permissions)
#    DirFakeGroup        true    #Hide real file/directory group (just change displayed permissions)
#    DirFakeMode        0400    #Hide real file/directory rights (just change displayed permissions)
                    #Add execution right for directory if read right is set
#    HideFiles        "^(lost\+found|public_html)$"    #Hide file/directory which match
                                #this extented POSIX regex
    HideNoAccess        true    #Hide file/directory which user has no access
#    MaxOpenFilesForUser    20    #limit user to open x files on same time
#    MaxWriteFilesForUser    10    #limit user to x upload on same time
#    MaxReadFilesForUser    10    #limit user to x download on same time
    DefaultRights        0640 0750    #Set default rights for new file and new directory
#    MinimumRights        0400 0700    #Set minimum rights for files and dirs

#    PathDenyFilter        "^\."    #deny upload of directory/file which match this extented POSIX regex

    ShowLinksAsLinks    false    #show links as their destinations
#    ConnectionMaxLife    1d    #limits connection lifetime to 1 day

#    Charset            "ISO-8859-15"    #set charset of computer
#    GMTTime            +1    #set GMT Time (change if necessary)
</Default>

<User elkaz>
        IsAdmin         true            #can admin the server
        VirtualChroot   false           #you must disable chroot to have a full support of admin
        StayAtHome      false
        IdleTimeOut     0
        Home            /root
        HideNoAccess    false
</User>

<Group root>
    LogFile /var/log/sftp_admins.log
    IsAdmin  true
    VirtualChroot false
    StayAtHome false
</Group>


Logs:

2011-07-19 17:45:20 [15284]New client [elkaz] from [91.***]
2011-07-19 17:45:21 [15284][elkaz][91.***]Quit.





FileZilla:
Status:    Connecting to ***...
Response:    fzSftp started
Command:    open "elkaz@***" 22
Command:    Pass: **********
Status:    Connected to ***
Status:    Retrieving directory listing...
Command:    pwd
Response:    Current directory is: "/root"
Command:    ls
Status:    Listing directory /root/
Error:    Unable to open .: permission denied


Why directory is root?
For example another user, which is not in root-group:

Status:    Connecting to ***
Response:    fzSftp started
Command:    open "num8er@***" 22
Command:    Pass: *****
Status:    Connected to ***
Status:    Retrieving directory listing...
Command:    pwd
Response:    Current directory is: "/"
Command:    ls
Status:    Listing directory /
Status:    Calculating timezone offset of server...
Command:    mtime ".cache"
Response:    1311001088
Status:    Timezone offsets: Server: 0 seconds. Local: 18000 seconds. Difference: 18000 seconds.
Status:    Directory listing successful

Go to forum: Configuration

2 Reply by Elkaz

(6 replies, posted in Configuration)

Thanks, found — /var/log/sftp-server.log
Problem was in connection sessions per user (I am using IDE, File manager and some other tools at the same time  smile )
Topic might be closed.

Go to forum: Configuration

3 Reply by Elkaz

(6 replies, posted in Configuration)

Where is MSS logs located?

Go to forum: Configuration

4 Reply by Elkaz

(6 replies, posted in Configuration)

-rwsr-xr-x 1 root root  75091 Mar 17 12:37 MySecureShell

Go to forum: Configuration

5 Topic by Elkaz

(6 replies, posted in Configuration)

Hello. Just installed MySecureShell 1.2.
By the way — couldn't install it via dpkg:

gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys E328F22B; gpg --export E328F22B | sudo apt-key add -

Server might be down or something. Installed from sources.

Ok. I wanna to allow users get only their home directory, and restrict any others. Full access for root (as in usual shell).

sftp-verif:

#################################################
#        MySecureShell Verification Tool        #
#################################################


** Verifing file existance **

Verifing file existance of /bin/MySecureShell            [ OK ]
Verifing file existance of /usr/bin/sftp-who            [ OK ]
Verifing file existance of /usr/bin/sftp-kill            [ OK ]
Verifing file existance of /usr/bin/sftp-state            [ OK ]
Verifing file existance of /usr/bin/sftp-admin            [ OK ]
Verifing file existance of /usr/bin/sftp-verif            [ OK ]
Verifing file existance of /usr/bin/sftp-user            [ OK ]
Verifing file existance of /etc/ssh/sftp_config            [ OK ]

** Verifing rights **

Verifing file rights of /etc/ssh/sftp_config            [ OK ]
Verifing file rights of /usr/bin/sftp-who            [ OK ]
Verifing file rights of /usr/bin/sftp-verif            [ OK ]
Verifing file rights of /usr/bin/sftp-user            [ OK ]
Verifing file rights of /usr/bin/sftp-kill            [ OK ]
Verifing file rights of /usr/bin/sftp-state            [ OK ]
Verifing file rights of /usr/bin/sftp-admin            [ OK ]
Verifing file rights of /bin/MySecureShell            [ OK ]


** Verifing rotation logs **

MySecureShell rotation logs                    [ OK ]


** Verifing server status **

Verifing server status (ONLINE)                    [ OK ]


** Verifing server dependencies **
Show only error(s):


** Verifing server configuration **
Show only error(s):
Try user: root


** All tests dones **

sftp_config:

<Default>
        GlobalDownload          0       #total speed download for all clients
                                        # o -> bytes   k -> kilo bytes   m -> mega bytes
        GlobalUpload            0       #total speed download for all clients (0 for unlimited)
        Download                0       #limit speed download for each connection
        Upload                  0       #unlimit speed upload for each connection
        StayAtHome              true    #limit client to his home
        VirtualChroot           true    #fake a chroot to the home account
        LimitConnection         10      #max connection for the server sftp
        LimitConnectionByUser   1       #max connection for the account
        LimitConnectionByIP     2       #max connection by ip for the account
        Home                    /home/$USER     #overrite home of the user but if you want you can use
                                                #       environment variable (ie: Home /home/$USER)
        IdleTimeOut             5m      #(in second) deconnect client is idle too long time
        ResolveIP               true    #resolve ip to dns
#       IgnoreHidden            true    #treat all hidden files as if they don't exist
#       DirFakeUser             true    #Hide real file/directory owner (just change displayed permissions)
#       DirFakeMode             0400    #Hide real file/directory rights (just change displayed permissions)
                                        #Add execution right for directory if read right is set
#       HideFiles               "^(lost\+found|public_html)$"   #Hide file/directory which match
                                                                #this extented POSIX regex
        HideNoAccess            true    #Hide file/directory which user has no access
#       MaxOpenFilesForUser     20      #limit user to open x files on same time
#       MaxWriteFilesForUser    10      #limit user to x upload on same time
#       MaxReadFilesForUser     10      #limit user to x download on same time
        DefaultRights           0777 0777       #Set default rights for new file and new directory
#       MinimumRights           0400 0700       #Set minimum rights for files and dirs

#       PathDenyFilter          "^\."   #deny upload of directory/file which match this extented POSIX regex

        ShowLinksAsLinks        false   #show links as their destinations
#       ConnectionMaxLife       1d      #limits connection lifetime to 1 day

#       Charset                 "ISO-8859-15"   #set charset of computer
#       GMTTime                 +1      #set GMT Time (change if necessary)
</Default>

<User root>
        IsAdmin         true            #can admin the server
        VirtualChroot   false           #you must disable chroot to have a full support of admin
        StayAtHome      false
        IdleTimeOut     0
        Home            /root
        HideNoAccess    false
</User>

Users are connecting pretty good. But root does not have any access to sftp O_o. Shell is working for root.
There was one problem with incorrect rights to /bin/MySecureShell (error was —  could not change to work directory "/"). I fixed it and now get 'could not connect to SFTP server at "sftp://example.com/". (inputstream is closed)'

I didn't find how to restart (or it is not necessary?) MySecureShell after changing sftp_config file. Any ideas?

Thanks.
Elkin.

Go to forum: Configuration