Topic: Help with Secureshell

Hi,


I have managed to install 0.61 of MySecureShell.

I set up a user account called test and set its shell to /bin/MySecureshell.

When I try and loggin it fails.

The server is running.

I have gone through the documentation and still do not see what the problem could be.

Any ideas?

Re: Help with Secureshell

Hi,

It's strange to try to use such old version roll

Some critical bugs are fixed in newer version of MySecureShell.

On recent distribution a old bug can prevent launching MySecureShell.
To see if MySecureShell could work on your OS.

Just try under final user:

MySecureShell -v -v --configtest

It should work... or not big_smile

Re: Help with Secureshell

teka wrote:

Hi,

It's strange to try to use such old version roll

Some critical bugs are fixed in newer version of MySecureShell.

On recent distribution a old bug can prevent launching MySecureShell.
To see if MySecureShell could work on your OS.

Just try under final user:

MySecureShell -v -v --configtest

It should work... or not big_smile

It does work. But why is it that I have problems logging in as my user...whenever I try, it refuses the loggon:

sftp test@10.20.202.31
Connecting to 10.20.202.31...
test@10.20.202.31's password:
Permission denied, please try again.
test@10.20.202.31's password:
----------------------------------------------------------------------------

Can you help me troubleshoot the problem?

Re: Help with Secureshell

May the file "/etc/shells" contains "/bin/MySecureShell" ??? smile

Re: Help with Secureshell

teka wrote:

May the file "/etc/shells" contains "/bin/MySecureShell" ??? smile

teka wrote:

May the file "/etc/shells" contains "/bin/MySecureShell" ??? smile

This is what I have. Please let me know if anything is wrong:
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/bin/MySecureShell

--------------------------------------------------------------------------------------------

[root@localhost ssh]# MySecureShell -v -v --checkconfig
--- UNKNOW OPTION: --checkconfig ---

Build:
        MySecureShell is version 0.61 build on Jul 29 2009

Usage:
        MySecureShell [verbose] [options]

Options:
        --configtest : test the config file and show errors
        --help       : show this screen

Verbose:
        -v           : add a level at verbose mode
[root@localhost ssh]# MySecureShell -v -v --configtest
--- root ---
Home                    = /home/root
ByPassGlobalDownload    = false
ByPassGlobalUpload      = false
GlobalDownload          = 51200 bytes/s
GlobalUpload            = 0 bytes/s
Download                = 5120 bytes/s
Upload                  = 0 bytes/s
StayAtHome              = true
VirtualChroot           = true
LimitConnection         = 50
LimitConnectionByUser   = 20
LimitConnectionByIP     = 3
IdleTimeOut             = 300s
ResolveIP               = true
DirFakeUser             = true
DirFakeGroup            = true
DirFakeMode             = 0400
HideFiles               = ^(lost\+found|public_html)$
HideNoAccess            = true
MaxOpenFilesForUser     = 20
MaxReadFilesForUser     = 10
MaxWriteFilesForUser    = 10
PathDenyFilter          = ^\.
Shell                   = {no shell}
ShowLinksAsLinks        = false
DefaultRights           = 0640 0750
ConnectionMaxLife       = 86400s
Config is valid.
----------------------------------------------------------------------------

sftp-state reports server is UP:
[root@localhost utils]# sftp-state
Server is up
[root@localhost utils]#
----------------------------------------------------------------------------
This is my sftp-config file:

#Default rules for everybody
<Default>
        GlobalDownload          50k     #total speed download for all clients
                                        # o -> bytes   k -> kilo bytes   m -> mega bytes
        GlobalUpload            0       #total speed download for all clients (0 for unlimited)
        Download                5k      #limit speed download for each connection
        Upload                  0       #unlimit speed upload for each connection
        StayAtHome              true    #limit client to his home
        VirtualChroot           true    #fake a chroot to the home account
        LimitConnection         50      #max connection for the server sftp
        LimitConnectionByUser   20      #max connection for the account
        LimitConnectionByIP     3       #max connection by ip for the account
        Home                    /home/$USER     #overrite home of the user but if you want you can use
                                                #       environment variable (ie: Home /home/$USER)
        IdleTimeOut             300     #(in second) deconnect client is idle too long time
        ResolveIP               true    #resolve ip to dns
        IgnoreHidden            true    #treat all hidden files as if they don't exist
        DirFakeUser             true    #Hide real file/directory owner (just change displayed permissions)
        DirFakeGroup            true    #Hide real file/directory group (just change displayed permissions)
        DirFakeMode             0400    #Hide real file/directory rights (just change displayed permissions)
                                        #Add execution right for directory if read right is set
        HideFiles               "^(lost\+found|public_html)$"   #Hide file/directory which match
                                                                #this extented POSIX regex
        HideNoAccess            true    #Hide file/directory which user has no access
        MaxOpenFilesForUser     20      #limit user to open x files on same time
        MaxWriteFilesForUser    10      #limit user to x upload on same time
        MaxReadFilesForUser     10      #limit user to x download on same time
        DefaultRights                   0640 0750       #Set default rights for new file and new directory

        PathDenyFilter          "^\."   #deny upload of directory/file which match this extented POSIX regex

        ShowLinksAsLinks        false   #show links as their destinations
        ConnectionMaxLife       1d      #limits connection lifetime to 1 day
</Default>

#Rules only for group ftp
<Group ftp>
        Download        25 k/s
</Group>

<Group old_client>
        SftpProtocol            3
</Group>

#Rules only for group ftpnolimit
<Group ftpnolimit>
        Download                0       #0 = unlimited
        IdleTimeOut             0       #no timeout
        DirFakeUser             false   #show real user on file/directory
        DirFakeGroup            false   #show real group on file/directory
        DirFakeMode             0       #show real rights on file/directory
        HideFiles               ""      #show all files
        MaxReadFilesForUser     0       #0 = unlimited but still have the restriction MaxOpenFilesForUser

</Group>

<IpRange 192.168.0.1-192.168.0.5>
        ByPassGlobalDownload    true    #bypass GlobalDownload restriction
        ByPassGlobalUpload      true    #bypass GlobalUpload restriction
        Download                0
</IpRange>


<Group trusted_users>
        Shell           /bin/tcsh       #give a shell access to TRUSTED clients !!!
</Group>


<VirtualHost *:22>
        Home    "/home"
</VirtualHost>

#Include /etc/my_sftp_config_file       #include this valid configuration file
---------

This is my ssh-dconfig file:

#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp /bin/MySecureShell -c sftp-server

----------
And my etc/passwd:

test:x:500:500::/home/test:/bin/MySecureShell

----------
Anything wrong?!?!

Re: Help with Secureshell

Hi,


Ok the problem is simple smile

We have 2 way to use MySecureShell:

  • Have shell "/bin/MySecureShell"

  • Put "Subsystem sftp /bin/MySecureShell -c sftp-server" in sshd_config

But for old version, you have to choose the method... but not both at time wink
The best way, it's to use MySecureShell as shell.

7 (edited by mojoman 2009-08-04 19:04:11)

Re: Help with Secureshell

teka wrote:

Hi,


Ok the problem is simple smile

We have 2 way to use MySecureShell:

  • Have shell "/bin/MySecureShell"

  • Put "Subsystem sftp /bin/MySecureShell -c sftp-server" in sshd_config

But for old version, you have to choose the method... but not both at time wink
The best way, it's to use MySecureShell as shell.

'
I installed the latest version and I just use the /bin/MySecureShell method. Is that okay?

Re: Help with Secureshell

Yep smile