Syslog and sftp chroot

Similar Messages

• SFTP chroot from non-global zone to zfs pool

  Hi,
  I am unable to create an SFTP chroot inside a zone to a shared folder on the global zone.
  Inside the global zone:
  I have created a zfs pool (rpool/data) and then mounted it to /data.
  I then created some shared folders: /data/sftp/ipl/import and /data/sftp/ipl/export
  I then created a non-global zone and added a file system that loops back to /data.
  Inside the zone:
  I then did the ususal stuff to create a chroot sftp user, similar to: http://nixinfra.blogspot.com.au/2012/12/openssh-chroot-sftp-setup-in-linux.html
  I modifed the /etc/ssh/sshd_config file and hard wired the ChrootDirectory to /data/sftp/ipl.
  When I attempt to sftp into the zone an error message is displayed in the zone -> fatal: bad ownership or modes for chroot directory /data/
  Multiple web sites warn that folder ownership and access privileges is important. However, issuing chown -R root:iplgroup /data made no difference. Perhaps it is something todo with the fact the folders were created in the global zone?
  If I create a simple shared folder inside the zone it works, e.g. /data3/ftp/ipl......ChrootDirectory => /data3/ftp/ipl
  If I use the users home directory it works. eg /export/home/sftpuser......ChrootDirectory => %h
  FYI. The reason for having a ZFS shared folder is to allow separate SFTP and FTP zones and a common/shared data repository for FTP and SFTP exchanges with remote systems. e.g. One remote client pushes data to the FTP server. A second remote client pulls the data via SFTP. Having separate zones increases security?
  Any help would be appreciated to solve this issue.
  Regards John

  sanjaykumarfromsymantec wrote:
  Hi,
  I want to do IPC between inter-zones ( commnication between processes running two different zones). So what are the different techniques can be used. I am not interested in TCP/IP ( AF_INET) sockets.Zones are designed to prevent most visibility between non-global zones and other zones. So network communication (like you might use between two physical machines) are the most common method.
  You could mount a global zone filesystem into multiple non-global zones (via lofs) and have your programs push data there. But you'll probably have to poll for updates. I'm not certain that's easier or better than network communication.
  Darren

• [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

  Following the instructions on https://wiki.archlinux.org/index.php/SFTP-chroot, setting the login shell with
  # usermod -s /bin/false sftpuser1
  does not allow me to sftp into the user account.
  Sshd debug output is
  debug1: userauth-request for user sftpuser1 service ssh-connection method password [preauth]
  debug1: attempt 4 failures 3 [preauth]
  debug1: PAM: password authentication failed for sftpuser1: Authentication failure
  Failed password for sftpuser1 from <IP> port 42482 ssh2
  When replaced with the following two steps, I am able to sftp into the user account
  # usermod -s /sbin/nologin sftpuser1
  and add the following line to /etc/shells
  /sbin/nologin
  Should the wiki page be updated or am I missing something?
  Last edited by willemw (2013-02-21 12:44:56)

  I had a similar Problem, I had /sbin/nologin for the users, but I didn't put it into /etc/shells. That worked fine until one of the last updates to openssh, the sftp-users couldn't login after that.
  I did some investigating and found the cause: the file /etc/pam.d/sshd was changed in one of the last updates, changing the way logins are checked against pam for ssh. In the old file there was no check against /etc/shells, which basically meant you could have anything set as shell for the sftp-users. But with the change in the pam file (its now referencing the base pam files), /etc/shells is now also checked on ssh login, which renders the logins created like discribed on the wiki-page unusable.
  So it seems the way the OP used (/sbin/nologin and entry in /etc/shells) is the right one. I have edited the wiki to reflect this change.

• Mounting samba share starts avahi, ssh and sftp at client

  The problem is at the client. When i mount a samba share (with # mount), avahi is started, which starts ssh and sftp. This is wrong on many levels.
  Not sure how long this has been going on, someone else already asked this on stackexchange on 11.2.15, but didn't get any answers.
  Journal output immediatly after mounting (hostname, ip etc. removed):
  Mär 18 01:35:51 hostname dbus[434]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
  Mär 18 01:35:51 hostname systemd[1]: Cannot add dependency job for unit boot.automount, ignoring: Unit boot.automount is masked.
  Mär 18 01:35:51 hostname systemd[1]: Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
  Mär 18 01:35:51 hostname systemd[1]: Starting Avahi mDNS/DNS-SD Stack Activation Socket.
  Mär 18 01:35:51 hostname systemd[1]: Starting Avahi mDNS/DNS-SD Stack...
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Found user 'avahi' (UID 84) and group 'avahi' (GID 84).
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully dropped root privileges.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: avahi-daemon 0.6.31 starting up.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
  Mär 18 01:35:51 hostname dbus[434]: [system] Successfully activated service 'org.freedesktop.Avahi'
  Mär 18 01:35:51 hostname systemd[1]: Started Avahi mDNS/DNS-SD Stack.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully called chroot().
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully dropped remaining capabilities.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Loading service file /services/sftp-ssh.service.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Loading service file /services/ssh.service.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Joining mDNS multicast group on interface enp1234.IPv4 with address myip.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: New relevant interface enp1234.IPv4 for mDNS.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Network interface enumeration completed.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Registering new address record for myip on enp1234.IPv4.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Registering HINFO record with values 'X86_64'/'LINUX'.
  Mär 18 01:35:52 hostname avahi-daemon[2583]: Server startup complete. Host name is hostname.local. Local service cookie is 123.
  Mär 18 01:35:53 hostname avahi-daemon[2583]: Service "hostname" (/services/ssh.service) successfully established.
  Mär 18 01:35:53 hostname avahi-daemon[2583]: Service "hostname" (/services/sftp-ssh.service) successfully established.

  Thanks for your answer.
  snakeroot wrote:Are you sure it is actually starting ssh and ssftp or is it just having avahi advertise them as existing?
  I'm not sure if anything is started, the term "Service ssh successfully established" sounds like the ssh serrver is started to me, but it might just be strange wording. What does "advertise as existing" mean?
  From the snippet you quoted, it looks like the latter. Unless you have alread started socket activation for ssh or sftp, whether via systemd *.socket or inetd, I'm not sure it would actually be started.
  I didn't enable anything manually.
  I think you can rm/mv the sftp-ssh.service and ssh.service files /etc/avahi/services/ and prevent those services from being advertised.
  OK thanks for the hint. Nontheless i would rather stop avahi from starting than configuring it.
  Begin rant...
  I'm a bit annoyed that avahi is starting without my permission. Seems like systemd is getting a bit overzealous with starting services. Interestingly this was one of the big problems with upstart, and was supposed to be solved with systemd. I still like systemd.

• GPG and SFTP in PeopleSoft

  I'm preparing a report on how to securely send files and documents to external partners. I have settled on running GPG and SFTP key authentication through command calls to the Batch UNIX server. Does anyone have any experience in setting this up directly in the web interface? I ask because if I understand correctly, OpenSSL is included in the Encryption pages as wellas glue for PGP. Thanks for any info.

  For non-interactive sftp you'll have to set up authentication keys. For doing that I think you need openssh and not just openssl.
  You can possibly call your sftp scripts with system calls from inside an app engine.
  OR
  Open up PeopleBooks and go to
  PeopleBooks > Enterprise PeopleTools 8.49 PeopleBook: PeopleSoft Integration Broker > Using Listening Connectors and Target Connectors
  and then scroll down to 'Working With the FTP Target Connector'

• PGP Encryption Exception in File and SFTP receiver adapter.

  Scenario: We have got the PGP (Private and Public key pair) and stored the same in PI server path.
  We have sample partner Public key which is store at temporary shared location for testing purpose.
  Issue: While doing the encryption we are getting below exception in case of File Adapter and SFTP adapter.
  Case 1: File Receiver Adapter
  Case 1: SFTP Receiver Adapter
  Can anyone please suggest on below exception?
  How to proceed to resolve the above issue or what should be the cause of the issue?
  Thanks,
  Vertika

  Hi everyone,
  Thanks for reply Sarah
  I have downloaded and added the JCE unlimited strengthh juristiction policay files are updated as directed in above blogs.
  Now I am able to encrypt the File using plane File Adapter (NFS). But still it is throwing exception for SFTP adapter. Below is the error detail:
  MP: exception caught with cause javax.ejb.TransactionRolledbackLocalException: ASJ.ejb.005043 (Failed in component: sap.com/com.sap.aii.adapter.pgp.app, BC-XI-CON-B2B) Exception raised from invocation of public com.sap.aii.af.lib.mp.module.ModuleData com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean.process(com.sap.aii.af.lib.mp.module.ModuleContext,com.sap.aii.af.lib.mp.module.ModuleData) throws com.sap.aii.af.lib.mp.module.ModuleException method on bean instance com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean@2648d238 for bean sap.com/com.sap.aii.adapter.pgp.app*xml|com.sap.aii.adapter.pgp.ejb.jar*xml|PGPEncryption in application sap.com/com.sap.aii.adapter.pgp.app.; nested exception is: java.lang.NullPointerException: while trying to invoke the method com.sap.engine.interfaces.messaging.api.Message.getMessageKey() of a null object loaded from local variable 'message'; nested exception is: javax.ejb.EJBException: ASJ.ejb.005043 (Failed in component: sap.com/com.sap.aii.adapter.pgp.app, BC-XI-CON-B2B) Exception raised from invocation of public com.sap.aii.af.lib.mp.module.ModuleData com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean.process(com.sap.aii.af.lib.mp.module.ModuleContext,com.sap.aii.af.lib.mp.module.ModuleData) throws com.sap.aii.af.lib.mp.module.ModuleException method on bean instance com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean@2648d238 for bean sap.com/com.sap.aii.adapter.pgp.app*xml|com.sap.aii.adapter.pgp.ejb.jar*xml|PGPEncryption in application sap.com/com.sap.aii.adapter.pgp.app.; nested exception is: java.lang.NullPointerException: while trying to invoke the method
  What could be the reason of above exception in SFTP adapter? Please suggest.
  Thanks,
  Vertika

• Stetting up FTP and SFTP adapters for the same interface

  Experts-
  I have a situation in which client has a requirement to setup both FTP and SFTP adapters (from adapetive adapters) for the same interface. They want to have a copy of file locally and also want a file to be sent out securly using SFTP. In my interface which was previously developed they have used one business system and added FTP and SFTP to the same. If try to add new Receiver Agreement it will say that the object already exists as the Interface Mapping is same.
  Please send me any suggestions which would resolve my problem

  Hi Hari,
  As you cannot create two Receiver agreement using only one receiver interface , please create a new receiver Interface, add that in interface determination step and then assing a different channel to new receiver agreement.
  If your requirement is to store the file ,i would suggest write the file in your unix directory using NFS( /usr/sap...). then run a AFT job (if already set up in your landscape) to transfer file securly to target destination.Not sure if its feasible in your case otherwise you can use  SFTP for the secure transfer.
  Best Regards
  Srinivas

• Dreamweaver CS5.5 and SFTP

  Greetings
  I am trying to connect to my FTP Server with Dreamweaver using SFTP (port 22). I can connect using FTP (port 21). I can also connect using the same credentials, with SFTP using CuteFTP client.
  Any suggestions?

  Jive
  Sorry, no I am not able to connect to the FTP server. The credentials are
  correct. I can connect using a ftp client and Coldfusion Builder but, I
  cannot connect through Dreamweaver or Contribute.
  I hope that helps.
  Sincerely
  Ray Bakker
  Web Developer | Corporate Information & Technology | City of Thunder Bay
  T: 807.625.3024 |  F: 807.623.3999 | E: [email protected]
  http://www.thunderbay.ca
  From:   SnakEyez02 <[email protected]>
  To:     Ray Bakker <[email protected]>
  Date:   02/11/2011 12:08 PM
  Subject:        Dreamweaver CS5.5 and SFTP
  Re: Dreamweaver CS5.5 and SFTP
  created by SnakEyez02 in Dreamweaver - View the full discussion
  So based on this last post you are able to connect but you are not able to
  transfer files.  And based on the error I will assume uploading new files
  is ok, it's just the overwriting that is causing an issue or uploading,
  even new files, to a specific folder is causing an issue.  Can you verify
  that the ownership settings are correct on your account (you may need to
  contact your host to fix if this is the issue)?
  Replies to this message go to everyone subscribed to this thread, not
  directly to the person who posted the message. To post a reply, either
  reply to this email or visit the message page: [
  http://forums.adobe.com/message/4003679#4003679]
  To unsubscribe from this thread, please visit the message page at [
  http://forums.adobe.com/message/4003679#4003679]. In the Actions box on
  the right, click the Stop Email Notifications link.
  Start a new discussion in Dreamweaver by email or at Adobe Forums
  For more information about maintaining your forum email notifications
  please go to http://forums.adobe.com/message/2936746#2936746.
  The information transmitted by electronic communication is intended
  only for
  the person or entity to which it is addressed and may contain
  confidential
  and/or privileged material. The sender does not waive any related
  rights or
  obligations. Any review, re-transmission, dissemination or other
  use of, or
  taking of any action in reliance upon this information, by persons
  or entities
  other than the intended recipient, is prohibited. If you received
  this in
  error, please contact the sender and delete the material from any
  computer

• Howto to get the year timestamp in syslog and logadm files

  5.10 Generic_141414-10 sun4u sparc
  Howto to get the year timestamp in syslog and logadm
  We have to keep logs files for a long time, I was exploring logs in /var/adm/secure and noticed that log files over a year old did not have a year time stamp, they are in this format:
  Nov 12 09:09:16
  And on the face of it. /varlog/syslog is the same, I thought no problem, there will be something in syslog.conf or logadm.conf I change and it will be fixed, but I cannot find any options to change this, how do I get the year in my log files?
  The "date" command does output the year:
  Friday, September 14, 2012  7:57:36 AM

  My guess is that the fields in a message logged by syslog are fixed, so you can't add a field to it.
  The reason for this is simply that there might be other applications parsing your syslog messages, or there might be other systems syslogging to your system, and that would break if you would add fields.
  The easiest workaround is probably to keep better track of your logs by either implementing an annual rotation of them from crontab, or log the date using the "logger" command on a regular basis.
  A third option would be to look at syslog-ng or rsyslog, which is more flexible when it comes to storing logs, and among other things can store them into a SQL db..
  .7/M.

• Native SSH and SFTP in LabVIEW

  At the risk of re-opening a can of worms, is there any consideration for adding native SSH and SFTP support for LabVIEW?
  Using PuTTy/plink is cumbersome and not cross-platform.
  Calling a .NET (or any other) external assembly is cumbersome and not cross-platform.
  Labwerx SSH has a terrible licensing model (not to mention the additional cost).
  It is 2015, and SSH/SFTP is ubiquitous and not going away. These protocols should be natively supported in LabVIEW.
  I have seen this idea on the exchange (http://forums.ni.com/t5/LabVIEW-Idea-Exchange/Native-SSH-and-SFTP-Support/idi-p/1141529), but there hasn't been any movement in 5 years. I would appreciate any news from NI here, even in the negative. If LabVIEW isn't going to support SSH anytime soon, it would be better to find out now.
  Solved!
  Go to Solution.

  I doubt it is likely to happen any time soon - the LabSSH toolkit is pretty reasonably priced when you compare it to how long it would take you to implement the functionality yourself and there is nothing to stop you from implementing it yourself using the TCP/IP functions which are in LabVIEW. You can of course use the command-line interface to something like WinSCP / PuTTy as well.
  I did also find a wrapper that someone had made for an Open Source .NET SSH library called Renci
  I downloaded a copy from this thread: http://forums.ni.com/t5/LabVIEW/Plink-PuTTY-works-30-of-the-time-using-System-Exec-vi/td-p/3002261
  There is also another implementation of the wrapper here: https://decibel.ni.com/content/docs/DOC-41388
  Certified LabVIEW Architect, Certified TestStand Developer
  NI Days (and A&DF): 2010, 2011, 2013, 2014
  NI Week: 2012, 2014
  Knowledgeable in all things Giant Tetris and WebSockets

• FTPS and SFTP

  hi, what is the difference between FTPS and SFTP and does XI support FTPS and SFTP.  Please elaborate.
  krishnan

  Hi also have a look at this
  if u want to view the difference between FTPS (that XI supports) and SFTP, please refer this link
  http://www.enterprisedt.com/forums/viewtopic.php?p=136&sid=28d66491b43c6bf90448deea4936bc15
  HTTPS / SFTP with XI
  Hey have a look at the following also
  http://en.wikipedia.org/wiki/FTPS
  Thanks !!

• ACE and ANM, Syslog and SNMP Traps

  Hi guys.. another ACE/ANM question.
  I configured the ACE devices to send Syslog and SNMP messages to the ANM server. But i got a couple of questions:
  Whats the difference between using the:
  logging history 4 (this would send logging messages as SNMP traps according to doc)
  And:
  snmp-server host x.x.x.x traps version 2c public
  snmp-server trap-source vlan 1000
  This of course I think should do the same..
  The funny and weird thing, in the ANM Event viewer, I can only see syslog messages, not one snmp event.
  Thanks!
  Omar
  PS: ACE ver A2.4
        ANM Ver 4.2

  Hi Omar,
  Let's see if I can clarify your questions.
  As you mentioned, the "logging history 4" command specifies that, syslog messages of severity 4 and higher will be sent as SNMP traps. After you configure it, you need the "snmp-server host x.x.x.x traps version 2c public" command to specify what will be the destination IP and SNMP community for these traps.
  It would only make sense to use the "logging history 4" command if your monitoring application doesn't support receiving syslog messages. However, since ANM is able to get syslog messages from the ACE without issues, I would just configure a destination for syslog message instead (with "logging host x.x.x.x")
  I hope this makes this point more clear.
  Now, moving on to why you are not seeing any SNMP traps in your ANM, the first things you would need to check are:
  -- Did you enable traps? You would use the "ACE(config)# snmp-server enable traps" command for this
  -- Are traps being sent? You can use the "show snmp" command and check if the "Trap PDUs" counter increases
  -- Is ANM getting these traps? This is the most complicated step. For this, I would recommend getting a traffic capture on the ANM server (if it's installed on linux) or as close as possible to it if it's a ANM appliance
  I hope this helps
  Daniel

• [Solved] New Arch installation: Where is syslog and/or messages?

  I have a new installation of Arch via the 2012.11.01 install disk. I'm wondering, and this is probably a dumb question, but, where is the syslog and/or message log files? I don't see them under /var/log anymore.
  Thanks for the help,
  jin
  Last edited by jin (2012-11-10 20:25:32)

  I think this article will be helpful.

• JDev 11.1.1.4.0 Support for SSH and SFTP

  Using JDeveloper 11.1.1.4.0
  I've tried researching Oracle docs, but find nothing on Secure FTP (SFTP). Does Oracle ADF have built-in SSH and SFTP Java libraries? If not, has anyone had success with the Java libraries from SourceForge or is there something better out there?
  Thanks,
  Troy

  There is no build in ftp or ssh library in jdev. I used http://commons.apache.org/net/ in one of my project.
  Timo

• CiscoWorks Syslog and TFTP servers

  Hi!
  Is it possible to disable CiscoWorks syslog and tftp servers and thus
  free ports 514 and 69 for other applications?
  Thank you,
  Oleg Tipisov,
  REDCENTER,
  Moscow

  The problem is that I don't know what service needs to be stopped.
  Do I need to kill the process (crmlog, crmtftp) ?