Solaris 10 Openssh v5.3p1 sftp chroot works but denied permission

Similar Messages

• SFTP chroot from non-global zone to zfs pool

  Hi,
  I am unable to create an SFTP chroot inside a zone to a shared folder on the global zone.
  Inside the global zone:
  I have created a zfs pool (rpool/data) and then mounted it to /data.
  I then created some shared folders: /data/sftp/ipl/import and /data/sftp/ipl/export
  I then created a non-global zone and added a file system that loops back to /data.
  Inside the zone:
  I then did the ususal stuff to create a chroot sftp user, similar to: http://nixinfra.blogspot.com.au/2012/12/openssh-chroot-sftp-setup-in-linux.html
  I modifed the /etc/ssh/sshd_config file and hard wired the ChrootDirectory to /data/sftp/ipl.
  When I attempt to sftp into the zone an error message is displayed in the zone -> fatal: bad ownership or modes for chroot directory /data/
  Multiple web sites warn that folder ownership and access privileges is important. However, issuing chown -R root:iplgroup /data made no difference. Perhaps it is something todo with the fact the folders were created in the global zone?
  If I create a simple shared folder inside the zone it works, e.g. /data3/ftp/ipl......ChrootDirectory => /data3/ftp/ipl
  If I use the users home directory it works. eg /export/home/sftpuser......ChrootDirectory => %h
  FYI. The reason for having a ZFS shared folder is to allow separate SFTP and FTP zones and a common/shared data repository for FTP and SFTP exchanges with remote systems. e.g. One remote client pushes data to the FTP server. A second remote client pulls the data via SFTP. Having separate zones increases security?
  Any help would be appreciated to solve this issue.
  Regards John

  sanjaykumarfromsymantec wrote:
  Hi,
  I want to do IPC between inter-zones ( commnication between processes running two different zones). So what are the different techniques can be used. I am not interested in TCP/IP ( AF_INET) sockets.Zones are designed to prevent most visibility between non-global zones and other zones. So network communication (like you might use between two physical machines) are the most common method.
  You could mount a global zone filesystem into multiple non-global zones (via lofs) and have your programs push data there. But you'll probably have to poll for updates. I'm not certain that's easier or better than network communication.
  Darren

• [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

  Following the instructions on https://wiki.archlinux.org/index.php/SFTP-chroot, setting the login shell with
  # usermod -s /bin/false sftpuser1
  does not allow me to sftp into the user account.
  Sshd debug output is
  debug1: userauth-request for user sftpuser1 service ssh-connection method password [preauth]
  debug1: attempt 4 failures 3 [preauth]
  debug1: PAM: password authentication failed for sftpuser1: Authentication failure
  Failed password for sftpuser1 from <IP> port 42482 ssh2
  When replaced with the following two steps, I am able to sftp into the user account
  # usermod -s /sbin/nologin sftpuser1
  and add the following line to /etc/shells
  /sbin/nologin
  Should the wiki page be updated or am I missing something?
  Last edited by willemw (2013-02-21 12:44:56)

  I had a similar Problem, I had /sbin/nologin for the users, but I didn't put it into /etc/shells. That worked fine until one of the last updates to openssh, the sftp-users couldn't login after that.
  I did some investigating and found the cause: the file /etc/pam.d/sshd was changed in one of the last updates, changing the way logins are checked against pam for ssh. In the old file there was no check against /etc/shells, which basically meant you could have anything set as shell for the sftp-users. But with the change in the pam file (its now referencing the base pam files), /etc/shells is now also checked on ssh login, which renders the logins created like discribed on the wiki-page unusable.
  So it seems the way the OP used (/sbin/nologin and entry in /etc/shells) is the right one. I have edited the wiki to reflect this change.

• Syslog and sftp chroot

  i'm configuring sftp (patched openssh with sftplogging e chroot) but i've problems with logging.
  sftplogging site hints to create chroot/dev/log in chrooted enviroment and launch syslogd -a chroot/dev/log but solaris syslogd doesn't have -a option.
  there's an alternative way or i must install syslog-ng?

  Can you post sshd_config.
  Edit: It's probably NOT client side. It's a chroot environment (which I had totally misread.) So this has to be a server side misconfiguration. Sorry, it's late
  Last edited by Minsc (2014-06-19 03:14:28)

• Running SFTP from script but Task Scheduler does not like part of it.

  Hello,
  I am trying to do some (not so) simple file copying using SFTP in this manner:
   1) Map a drive to the destination, the SFTP program will not accept UNC paths
   2) Use SFTP to copy the files to the target Server
   3) Write a Timestamped entry to a log file
   4) Remove the source files after copy
   5) Remove the drive mapping
  Everything works but Step two and that only fails running from the Task Scheduler (W2K8 R2).  Running from the command line directly in PowerShell or using the Run box works fine all the way.
  The sftp program is BitVise SSH Client using their log utility.  The makes the command line very complicated.
  The line I use in the Scheduler is powershell "D:\Scripts\SFTP_TPCCommission.ps1" Dev  I have also tried using the -command parameter.  Again, it only does not work in the scheduler.
  Here is how I invoke it:
  $CmdLine = "`"D:\\Program Files (x86)\\Bitvise SSH Client\\logs\\`" sftpc " + $Server + " -pk=1 -cmd=`"put -o -lf Z:\" + $File + " /TPCCommissions`""
  & log ($CmdLine)
  I have also tried a Here String to do the same thing.  It works the same way.
  $ArgText = @"
  "D:\\Program Files (x86)\\Bitvise SSH Client\\logs\\" sftpc $Server -pk=1 -cmd="put -o -lf Z:\$File /TPCCommissions"
  Any ideas?

  In a batch file or at the command (not PS) line the command structure looks like this:
  log "D:\\Program Files (x86)\\Bitvise SSH Client\\logs\\" sftpc <user@server> -pk=1 -cmd="put -o -lf Z:\<Source> /<Destination>"
  The double slashes are requirement of the log program which calls the sftpc program with its command structure.
  The double-quoted section after "-cmd=" is required.  The Z: drive is mapped because the SFTP program does not support UNC paths. (Stupid, but that is all I have to work with.
  What you see in my post is just the part giving me trouble.  I am using PS to keep track of what I am copying to the destination and removing from the source and creating a timestamped log of that activity.
  As to the comment about Task Scheduler, I am using it.  Like I said, it all works fine from anywhere but the Task Scheduler.

• I am unable to open my Photoshop program after installing the entire Creative Suite: Premium Production 6. All other programs work, but with Photoshop it says that the program is "locked or in use by another user". I need this fixed immediately.

  I am unable to open my Photoshop program after installing the entire Creative Suite: Premium Production 6. All other programs work, but with Photoshop it says that it "Could not open a scratch file because the file is locked, you do not have necessary access permissions, or another program is using the file. Use the 'Properties' command in the Windows Explorer to unlock the file." Then I select "OK" and the next message comes up "Could not initialize Photoshop because the file is locked, you do not have the necessary permissions, or another program is using the file. Use the 'Properties' command in the Windows Explorer to unlock this file. I installed all of the programs on the same day from a CD. I need this fixed immediately.
  I am not interested in switching to Creative Cloud, so don't even suggest it. I spoke to Mashmi (or something to that effect) on the "Support" Chat and there was absolutely no support. Useless actually.
  Thanks in advance.

  Could not open a scratch file because the file is locked or you do not have the necessary access privileges. (…) | Mylen…
  Mylenium

• Report works but not when scheduling

  Hi,
  I have a report that copies table contents to a text file. When using this report from se38 everything works but every time we schedule the job from sm36 it gets status cancelled.
  The input to the report is what table should be copied and where it should be copied to.
  The error message is from sm36 job scheduling is: "Could not ascertain code page"
  Message class: FES
  What does this mean?
  regards
  Baran

  Where do you download the text file to?
  If you try to save to your PC, it will never work.
  You can not download to a local drive, only to UNIX or print the file to the spool. Then, later, you'll need to retrieve it either from UNIX or from the spool.

• Print from ipad if i connect a usb connector to my ipad can i connect my printer to it and print??as im thinking of buying the new ipad for work but i must be able toprint

  hi can any one help i want to get the new ipad for work but i need to print.i see i can buy a usb connector can i print if i plug my printer into the usb.

  If you have a USB printer connected to your computer, Mac or PC, you can activate or install AirPrint and print from your iPad over wifi without any special apps.
  Activate AirPrint in Mac OS X;
  http://netputing.com/airprintactivator/
  Add AirPrint to Windows;
  http://jaxov.com/2010/11/how-to-enable-airprint-service-on-windows/

• My phone will randomly disconnect from the wifi and when I retype the password it says it is wrong. It will eventually work but I have to wait for a message to pop up on my screen to allow me to retype the wifi password.

  When I first got my phone it worked perfectly fine with the wifi. Although later on I began to have problems connecting it. It will randomly disconnect from the wifi and when I try to retype the password it tells me it is wrong, although it is right. It will eventually work but in its own time, a message will pop up and allow me to type in the password and it will work. But sometimes it takes an hour or more and sometime it takes 10 minutes. I've seen where other people have had this problem but I don't know how to fix it. I'm not sure if it's an issue with my phone or if it's with my wifi. Does anyone know how to fix this?

  Does this happen with all Wi-Fi hotspots?  A specific one?
  Have you tried forgetting the Wi-Fi connection and then reconnecting to it?
  What about power cycling the Wi-Fi router?

• Why iPhone 6 Plus sound microphone not working, but in the case of sound recordings in conversation mode work?

  Why iPhone 6 Plus sound microphone not working, but in the case of sound recordings in conversation mode work?

  Sighhhh, wasted so much time yesterday and today going around Sony centre and then carphone warehouse. They told me to come back after Easter.
  I came home, banged the phone against the wall and it worked.
  Turned out that mic was working on loud speaker and when using headphones so I thought that the secondary mic is working and the main one (placed with the speakers) isn't. So I banged that part against the wall slightly (in plastic case to prevent scratches) then put the phone underwater, waited for it to dry and now it's working. Idk how well and if it's of perfect quality again but people can hear me well.

• How do I change my user name in syn? I typed in the wrong email address. And I cancelled syn thinking this may work but no luck.

  How do I change my user name in syn? I typed in the wrong email address. And I cancelled syn thinking this may work but no luck.

  You have to clear saved password for this page:
  # Open you login page (where you have to enter username and password).
  # Right click on page and select '''Page Info''' form context menu.
  # On last tab ('''Security''') there is '''View saved passwords''' button, click it and delete all saved passwords for this page.
  # Also clear all related cookies (just in case) there is button for this next to first one.

• I've been working with AI for some time time now & would love to have a light weight viewer to open the files. The bridge is fine when we're working but just being able to toggle through folders is impossible otherwse

  I was thinking of keeping things a bit easier in the way of clicking & dragging artwork into Illustrator. The bridge is fine when we're in the print shop & working but still has problems with some of the file extensions with the vectors. A lightweight no frills viewer that would open anything that Illustrator would open, so we could just burn through our regular file folders without opening AI or the bridge would be a great deal. Add the PS extensions too & we could dance by the firelight. Just offer it to those with the software & the valid codes for their software. I mean if there would be a problem with folks just grabbing it up. Love to have it though.

  A thumbnail preview file icon option would be nice. CorelDRAW has had this capability for its past few versions. It does make it a whole lot easier conducting searches in Windows File Explorer. You can find the right files pretty quickly and then drag/drop them into CorelDRAW.

• TS3367 facetime used to work but now does not work on any of my devices

  I have been in regular contact until about 4 days ago using facetime on my iphone 5 imac 10.7.5. ipad 2 now none of these devices work from incoming calls from Philipinnes. Take note the caller had latest macbook pro 13 inch  and is able to call Guam on fatetime with success. What is happening why is incoming calls alway failing. This has been 4 days running and is not good enough. Okay I havent got the latest updates but why in the late few days whould this effect anything. I mean 3 devices and none of them work. This is most frustrating and annoying. I have intead used skype which does work but at night time the camera is not as clear. Tanke note also earlier in the year I received calls from Vietnam and although I did have dropouts was always able to connect only these last four days have had no success. Also I have not been able to call out. The wireless has full bar and am near the modem that is not an issue. Unless there has been a recent change why is htis not working all of a sudden.

  THere seems to be a FaceTime issue and some users who have been in contact with Apple support claim that Apple is working on this.
  I have read many posts on the issue and have seen that there are many reporting that when they have updated their various devices to the latest software, the issue has been resolved.
  You can wait for Apple to resolve the issue OR you can update everything to the latest software and see if this solves your issues.

• HT4356 My iPad does not find the printer. I have tried the HP app and it works, but in any other app the printer is not seen. How do I get this printer visible to the iPad. All my other network computers find and print with out a problem.

  My iPad does not find the printer. I have tried the HP app and it works, but in any other app the printer is not seen. How do I get this printer visible to the iPad. All my other network computers find and print with out a problem.

  hi
  could you tell us what the other app is please

• IPhone 5 outgoing and incoming SMS works but incoming calls do not work. The dialler gets message this number is not in available in network.

  New I phone outgoing calls as well incoming SMS works but can not receive incoming calls. Caller gets the number does not exist in network.

       Like Superman, here I am to save the day! I can help you with your service in your home area dizzymslizzie. Let's start with what zip code are you in? Can I assume that there isn't any physical or liquid damage on the iPhone 5? Recently, there has been an update to the iPhone to iOS 7. If you have done this update then please provide the exact carrier version that's installed. Keep in mind that there is a difference in device performance between iOS 7 and the iOS 7 beta version. As you share this info, I will check the area to re-affirm that the issue is or is not network related.
  Thank you...
  ArnettH_VZW
  Follow us on Twitter @VZWSupport