Re: ssh and /etc/group

From: Nico Kadel-Garcia (nkadel@bellatlantic.net)
Date: 12/13/01

Next message: no.email.address.entered@none444.yet: "- ebook.htm 9002 bytes (1/1)"
Previous message: User: "If I am paranoid, should I do it?"
In reply to: Janne Bergman: "Re: ssh and /etc/group"
Next in thread: Atro Tossavainen: "Re: ssh and /etc/group"
Reply:(deleted message) Atro Tossavainen: "Re: ssh and /etc/group"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net>
Date: Thu, 13 Dec 2001 13:58:52 GMT

"Janne Bergman" <bjp@kaarne.cs.tut.fi> wrote in message
news:9v9ksl$597$1@news.cc.tut.fi...
> Nico Kadel-Garcia <nkadel@bellatlantic.net> wrote:
>
> : "Stein Arne Storslett" <stein.arne.storslett@edb.CUTTHESPAM.com> wrote
in
> : message news:9v7ku7$5r3@info.telenor.no...
> :> Hi.
> :>
> :> We use ssh to connect to our systems, but I get one problem:
> :> It would seem that ssh does not read /etc/group and assigns proper
> :> authorizations regarding this information.
> :> When logging in via telnet or su'ing it would seem that /etc/group is
read
> :> since each user gets proper rights.
> :>
> :> I have read the man-pages and search css for this but to no avail.
> :>
> :> How can sshd be forced to use /etc/group?
>
> : SSH and other login systems get their knowledge of the user's standard
group
> : membership from the fourth field in the /etc/passwd or /etc/shadow
entry, or
> : from NIS depending on your local setup.
>
> : What OS are you using and what version of SSH?
>
>
> So is it so that SSH doesn't read the /etc/group file?

It shouldn't: neither should "login" or "telnetd". They need the user's
login name, shell, UID and GID from the passwd file information, obtained
with the getpw* functions.

> I'm having similar problems. I'm running RH 6.2 w/ Linus 2.2.19
> kernel, SSH Communications Security Corp's SSH 2.2.0.

Hmm. First things first: replace with OpenSSH. The SRPM's from
www.openssh.com work great, and compile fairly easily under RedHat 6.2.
They're built for RedHat 7.2, but they transfer well with recompilation (for
the different glibc).

> The server also provides disk and print services to w2k users via
> samba, and some of the users are given the possibility to use sftp to
> access the shared files. Those users will be chrooted to /share (ssh's
> ChRootGroups sftpjail, user's primary group is sftpjail). Their shell is
> sftp-dummy-shell.static.

Whoah, nelly. The chroot ability is a new set of functions, and may be a
significant part of the difficulty. Does it work the same way in ssh.com's
ssh-2.2.0 as under OpenSSH with the 2.9.x chroot patch? Or does it have that
little "chroot" shell that some chroot users have explored?

> Problem is that some users can't access the files they have access
> to according to their goups in /etc/group when they use sftp, but they
> can access the files via samba. I've copied the /etc/passwd and /etc/group
> to /share/etc/ (or actually hard linked) so the chrooted users should
> have access to that info.

So what is their login shell? /bin/sh, or something else?

> I've a test user that is built exactly the same way as the users.
> It is able to access one folder (drwxrwx---) to which it has access
> according to the group settings. This group is not the primary group set
> in /etc/passwd. But it can't access the rest of the restricted folders it
> should have access to.
>
>
> Any explanations to this behaviour, or, even better, tips to how
> to solve the problem?

Woof. Let's see the /etc/group and /etc/passwd entries, and the directory
ownerships of the chrooted directory. I haven't gone near the chroot in
ssh.com's code, and am only just exploring it under OpenSSH. (So you may not
want to switch to OpenSSH just yet).

Note that I've found F-Secure useless for support: I've heard good things
for ssh.com themselves on this group, but haven't heard if they support
Linux well.

Next message: no.email.address.entered@none444.yet: "- ebook.htm 9002 bytes (1/1)"
Previous message: User: "If I am paranoid, should I do it?"
In reply to: Janne Bergman: "Re: ssh and /etc/group"
Next in thread: Atro Tossavainen: "Re: ssh and /etc/group"
Reply:(deleted message) Atro Tossavainen: "Re: ssh and /etc/group"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Chroot environment for ssh
... > would like to use SSH for the connections, as opposed to FTP, but I ... > users to be able to log into an interactive shell and I ... > want them to 'escape' out of their home directories. ... directives to chroot the groupand/or userthat are to have ...
(FreeBSD-Security)
Re: [fw-wiz] Best-of-breed Proxies (was Re: Proxy Firewalls ...)
... >> It used a chrooted sshd with private passwd/shadow files in the ... >> chroot jail. ... The login shell for the users in that private passwd ... >> config file to get a destination host, and execed an ssh client to ...
(Firewall-Wizards)
OpenSSH & ChRoot
... I've been using SSH 3.2.9.1 from ssh.org/ssh.com for quite awhile now. ... Since FreeBSD uses OpenSSH as part of the install I figured I might ... ChRoot in SSH, but I want to do it, and with SSH I can. ...
(SSH)
openssh and chroot?
... openssh 2.9p2-11.7? ... I have need to add the capability for a few users to ... access my home linux server via ssh (and then be able to ssh, scp, telnet, & ... working fine now, but without the chroot. ...
(comp.security.ssh)
Re: Need advice on setting of an SSH server for untrusted users
... > I've just set up an ssh server so that my customers can download code ... I've set up ssh so that it requires rsa authentication. ... There is a patch for openssh that will cause it to do a chroot like ... The issue with a chroot jail for ssh is that you have to hand-roll the ...
(comp.os.linux.security)