P.S. - RE: [redhat-list] updates pending question
Constance Morris
cmorris at daltonstate.edu
Mon May 13 16:03:12 UTC 2013
-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred Hovdestad
Sent: Friday, May 10, 2013 6:02 PM
To: General Red Hat Linux discussion list
Subject: Re: P.S. - RE: [redhat-list] updates pending question
On 10/05/13 03:02 PM, Constance Morris wrote:
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred Hovdestad
> Sent: Friday, May 10, 2013 4:37 PM
> To: General Red Hat Linux discussion list
> Subject: Re: P.S. - RE: [redhat-list] updates pending question
>
> On 10/05/13 02:29 PM, Constance Morris wrote:
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>> Sent: Friday, May 10, 2013 4:00 PM
>> To: General Red Hat Linux discussion list
>> Subject: Re: P.S. - RE: [redhat-list] updates pending question
>>
>> Alfred Hovdestad wrote:
>>> On 10/05/13 12:06 PM, Constance Morris wrote:
>>>>
>>>> I found an article titled ' can I set up sftp to chroot only
>>>> particular users in rhel' and I followed the instructions of
>>>> modifying the /etc/ssh/sshd_config to have:
>>>>
>>>> Comment out the #Subsystem sftp /usr/libexec/openssh/sftp-server
>>>> And put this as active = subsystem sftp internal-sftp
>>>>
>>>> * Now my sshd_config was different than above. It had:
>>>> Subsystem sftp /bin/sh -c 'umas 0002; /usr/libexec/openssh/sftp-server'
>>>>
>>>> Exactly like that. But I tried the above by commenting it out and
>>>> adding the other line and the rest of the data as follows:
>>>>
>>>> Match Group www
>>>> ChrootDirectory /faculty-staff/%u
>>>> AllowTcpForwarding no
>>>> ForceCommand internal-sftp
>>>> X11Forwarding no
>>>>
>>>> And then did as it said and created a user, made a directory folder
>>>> for that user in /faculty-staff and changed ownership and permissions.
>>>> Then it said to restart the sshd service and upon doing so I got
>>>> the following error message:
>>>>
>>>> Starting sshd: /etc/ssh/sshd_config: line 122: Bad configuration option:
>>>> Match
>>>> /etc/ssh/sshd_config: terminating, 1 bad configuration options
>>>>
>>>> [FAILED]
>>>>
>>>> Any thoughts? The comments on the article mentioned there being a
>>>> problem with selinux.
>>>>
>>> What version of Red Hat are you running? I'm thinking that it is
>>> likely RHEL 5. The Match keyword for openssh was introduced with
>>> openssh 5 (RHEL 6). That might be why your predecessor had
>>> installed a newer version of openssh (outside of RHEL).
>>>
>>> And if sshd isn't running your faculty won't be able to login. You
>>> may have to re-install the custom version of openssh to resolve this issue.
>>
>> I really don't think it's an sshd problem, at this point. She's got other (many other?) users who have no trouble; it's just these three, which is why I'm strongly leaning towards them having Web Expression on their workstations misconfigured.
>>
>> mark
>> -- ----------
>>
>> P.S. Now Hassan can't log in and gets the same error message as jadams 'There's no site named /faculty-staff/username'.
>>
>> Constance
>>
>
> I don't think that you should have the %u on the ChrootDirectory. Do all of these users have www as their default group? It is the default group that gets matched on the sftp connection.
>
> --
> Alfred
> -----------
>
> Alfred,
> Okay, that's good to know if I have to make those changes again, but I had removed all of those changes to the sshd_config file when I ran into that error message after trying to restart the sshd service.
> So it doesn't have the 'Match Group www' info or the ChrootDirectory /faculty-staff/%u info in that file anymore.
> Ah......for their faculty-staff directory pages then yes they all have the www group. However, ones like Cathy don't log in for the faculty-staff directory but to their department directory and it uses a different group. So I see my error there with having listed the 'www' group when I tried that.
> If I have to add those back in to the sshd_config file since I removed them when I got the error message......any suggestions on what I should use for the matched or should I leave that out of it?
>
> Constance
>
RHEL 5 (openssh 4) doesn't support the Match config parameter so it's best to leave it out.
For the 'There's no site named /faculty-staff/username' error it sounds as though they are trying to connect to the home directory, not to the server. It's beginning to sound like Mark has the right idea, check the user configuration. Make sure you know what they are doing when they try to connect to the Linux server.
--
Alfred
--
Hey Alfred,
Just wanted to let you know everything is working properly now and I really appreciated your help!
Have a great week!! :-)
Constance
More information about the redhat-list
mailing list