Syslog and sftp chroot
i'm configuring sftp (patched openssh with sftplogging e chroot) but i've problems with logging.
sftplogging site hints to create chroot/dev/log in chrooted enviroment and launch syslogd -a chroot/dev/log but solaris syslogd doesn't have -a option.
there's an alternative way or i must install syslog-ng?
Can you post sshd_config.
Edit: It's probably NOT client side. It's a chroot environment (which I had totally misread.) So this has to be a server side misconfiguration. Sorry, it's late
Last edited by Minsc (2014-06-19 03:14:28)
Similar Messages
-
SFTP chroot from non-global zone to zfs pool
Hi,
I am unable to create an SFTP chroot inside a zone to a shared folder on the global zone.
Inside the global zone:
I have created a zfs pool (rpool/data) and then mounted it to /data.
I then created some shared folders: /data/sftp/ipl/import and /data/sftp/ipl/export
I then created a non-global zone and added a file system that loops back to /data.
Inside the zone:
I then did the ususal stuff to create a chroot sftp user, similar to: http://nixinfra.blogspot.com.au/2012/12/openssh-chroot-sftp-setup-in-linux.html
I modifed the /etc/ssh/sshd_config file and hard wired the ChrootDirectory to /data/sftp/ipl.
When I attempt to sftp into the zone an error message is displayed in the zone -> fatal: bad ownership or modes for chroot directory /data/
Multiple web sites warn that folder ownership and access privileges is important. However, issuing chown -R root:iplgroup /data made no difference. Perhaps it is something todo with the fact the folders were created in the global zone?
If I create a simple shared folder inside the zone it works, e.g. /data3/ftp/ipl......ChrootDirectory => /data3/ftp/ipl
If I use the users home directory it works. eg /export/home/sftpuser......ChrootDirectory => %h
FYI. The reason for having a ZFS shared folder is to allow separate SFTP and FTP zones and a common/shared data repository for FTP and SFTP exchanges with remote systems. e.g. One remote client pushes data to the FTP server. A second remote client pulls the data via SFTP. Having separate zones increases security?
Any help would be appreciated to solve this issue.
Regards Johnsanjaykumarfromsymantec wrote:
Hi,
I want to do IPC between inter-zones ( commnication between processes running two different zones). So what are the different techniques can be used. I am not interested in TCP/IP ( AF_INET) sockets.Zones are designed to prevent most visibility between non-global zones and other zones. So network communication (like you might use between two physical machines) are the most common method.
You could mount a global zone filesystem into multiple non-global zones (via lofs) and have your programs push data there. But you'll probably have to poll for updates. I'm not certain that's easier or better than network communication.
Darren -
Following the instructions on https://wiki.archlinux.org/index.php/SFTP-chroot, setting the login shell with
# usermod -s /bin/false sftpuser1
does not allow me to sftp into the user account.
Sshd debug output is
debug1: userauth-request for user sftpuser1 service ssh-connection method password [preauth]
debug1: attempt 4 failures 3 [preauth]
debug1: PAM: password authentication failed for sftpuser1: Authentication failure
Failed password for sftpuser1 from <IP> port 42482 ssh2
When replaced with the following two steps, I am able to sftp into the user account
# usermod -s /sbin/nologin sftpuser1
and add the following line to /etc/shells
/sbin/nologin
Should the wiki page be updated or am I missing something?
Last edited by willemw (2013-02-21 12:44:56)I had a similar Problem, I had /sbin/nologin for the users, but I didn't put it into /etc/shells. That worked fine until one of the last updates to openssh, the sftp-users couldn't login after that.
I did some investigating and found the cause: the file /etc/pam.d/sshd was changed in one of the last updates, changing the way logins are checked against pam for ssh. In the old file there was no check against /etc/shells, which basically meant you could have anything set as shell for the sftp-users. But with the change in the pam file (its now referencing the base pam files), /etc/shells is now also checked on ssh login, which renders the logins created like discribed on the wiki-page unusable.
So it seems the way the OP used (/sbin/nologin and entry in /etc/shells) is the right one. I have edited the wiki to reflect this change. -
Mounting samba share starts avahi, ssh and sftp at client
The problem is at the client. When i mount a samba share (with # mount), avahi is started, which starts ssh and sftp. This is wrong on many levels.
Not sure how long this has been going on, someone else already asked this on stackexchange on 11.2.15, but didn't get any answers.
Journal output immediatly after mounting (hostname, ip etc. removed):
Mär 18 01:35:51 hostname dbus[434]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mär 18 01:35:51 hostname systemd[1]: Cannot add dependency job for unit boot.automount, ignoring: Unit boot.automount is masked.
Mär 18 01:35:51 hostname systemd[1]: Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
Mär 18 01:35:51 hostname systemd[1]: Starting Avahi mDNS/DNS-SD Stack Activation Socket.
Mär 18 01:35:51 hostname systemd[1]: Starting Avahi mDNS/DNS-SD Stack...
Mär 18 01:35:51 hostname avahi-daemon[2583]: Found user 'avahi' (UID 84) and group 'avahi' (GID 84).
Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully dropped root privileges.
Mär 18 01:35:51 hostname avahi-daemon[2583]: avahi-daemon 0.6.31 starting up.
Mär 18 01:35:51 hostname avahi-daemon[2583]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Mär 18 01:35:51 hostname dbus[434]: [system] Successfully activated service 'org.freedesktop.Avahi'
Mär 18 01:35:51 hostname systemd[1]: Started Avahi mDNS/DNS-SD Stack.
Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully called chroot().
Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully dropped remaining capabilities.
Mär 18 01:35:51 hostname avahi-daemon[2583]: Loading service file /services/sftp-ssh.service.
Mär 18 01:35:51 hostname avahi-daemon[2583]: Loading service file /services/ssh.service.
Mär 18 01:35:51 hostname avahi-daemon[2583]: Joining mDNS multicast group on interface enp1234.IPv4 with address myip.
Mär 18 01:35:51 hostname avahi-daemon[2583]: New relevant interface enp1234.IPv4 for mDNS.
Mär 18 01:35:51 hostname avahi-daemon[2583]: Network interface enumeration completed.
Mär 18 01:35:51 hostname avahi-daemon[2583]: Registering new address record for myip on enp1234.IPv4.
Mär 18 01:35:51 hostname avahi-daemon[2583]: Registering HINFO record with values 'X86_64'/'LINUX'.
Mär 18 01:35:52 hostname avahi-daemon[2583]: Server startup complete. Host name is hostname.local. Local service cookie is 123.
Mär 18 01:35:53 hostname avahi-daemon[2583]: Service "hostname" (/services/ssh.service) successfully established.
Mär 18 01:35:53 hostname avahi-daemon[2583]: Service "hostname" (/services/sftp-ssh.service) successfully established.Thanks for your answer.
snakeroot wrote:Are you sure it is actually starting ssh and ssftp or is it just having avahi advertise them as existing?
I'm not sure if anything is started, the term "Service ssh successfully established" sounds like the ssh serrver is started to me, but it might just be strange wording. What does "advertise as existing" mean?
From the snippet you quoted, it looks like the latter. Unless you have alread started socket activation for ssh or sftp, whether via systemd *.socket or inetd, I'm not sure it would actually be started.
I didn't enable anything manually.
I think you can rm/mv the sftp-ssh.service and ssh.service files /etc/avahi/services/ and prevent those services from being advertised.
OK thanks for the hint. Nontheless i would rather stop avahi from starting than configuring it.
Begin rant...
I'm a bit annoyed that avahi is starting without my permission. Seems like systemd is getting a bit overzealous with starting services. Interestingly this was one of the big problems with upstart, and was supposed to be solved with systemd. I still like systemd. -
I'm preparing a report on how to securely send files and documents to external partners. I have settled on running GPG and SFTP key authentication through command calls to the Batch UNIX server. Does anyone have any experience in setting this up directly in the web interface? I ask because if I understand correctly, OpenSSL is included in the Encryption pages as wellas glue for PGP. Thanks for any info.
For non-interactive sftp you'll have to set up authentication keys. For doing that I think you need openssh and not just openssl.
You can possibly call your sftp scripts with system calls from inside an app engine.
OR
Open up PeopleBooks and go to
PeopleBooks > Enterprise PeopleTools 8.49 PeopleBook: PeopleSoft Integration Broker > Using Listening Connectors and Target Connectors
and then scroll down to 'Working With the FTP Target Connector' -
PGP Encryption Exception in File and SFTP receiver adapter.
Scenario: We have got the PGP (Private and Public key pair) and stored the same in PI server path.
We have sample partner Public key which is store at temporary shared location for testing purpose.
Issue: While doing the encryption we are getting below exception in case of File Adapter and SFTP adapter.
Case 1: File Receiver Adapter
Case 1: SFTP Receiver Adapter
Can anyone please suggest on below exception?
How to proceed to resolve the above issue or what should be the cause of the issue?
Thanks,
VertikaHi everyone,
Thanks for reply Sarah
I have downloaded and added the JCE unlimited strengthh juristiction policay files are updated as directed in above blogs.
Now I am able to encrypt the File using plane File Adapter (NFS). But still it is throwing exception for SFTP adapter. Below is the error detail:
MP: exception caught with cause javax.ejb.TransactionRolledbackLocalException: ASJ.ejb.005043 (Failed in component: sap.com/com.sap.aii.adapter.pgp.app, BC-XI-CON-B2B) Exception raised from invocation of public com.sap.aii.af.lib.mp.module.ModuleData com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean.process(com.sap.aii.af.lib.mp.module.ModuleContext,com.sap.aii.af.lib.mp.module.ModuleData) throws com.sap.aii.af.lib.mp.module.ModuleException method on bean instance com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean@2648d238 for bean sap.com/com.sap.aii.adapter.pgp.app*xml|com.sap.aii.adapter.pgp.ejb.jar*xml|PGPEncryption in application sap.com/com.sap.aii.adapter.pgp.app.; nested exception is: java.lang.NullPointerException: while trying to invoke the method com.sap.engine.interfaces.messaging.api.Message.getMessageKey() of a null object loaded from local variable 'message'; nested exception is: javax.ejb.EJBException: ASJ.ejb.005043 (Failed in component: sap.com/com.sap.aii.adapter.pgp.app, BC-XI-CON-B2B) Exception raised from invocation of public com.sap.aii.af.lib.mp.module.ModuleData com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean.process(com.sap.aii.af.lib.mp.module.ModuleContext,com.sap.aii.af.lib.mp.module.ModuleData) throws com.sap.aii.af.lib.mp.module.ModuleException method on bean instance com.sap.aii.adapter.pgp.ejb.api.PGPEncryptionBean@2648d238 for bean sap.com/com.sap.aii.adapter.pgp.app*xml|com.sap.aii.adapter.pgp.ejb.jar*xml|PGPEncryption in application sap.com/com.sap.aii.adapter.pgp.app.; nested exception is: java.lang.NullPointerException: while trying to invoke the method
What could be the reason of above exception in SFTP adapter? Please suggest.
Thanks,
Vertika -
Stetting up FTP and SFTP adapters for the same interface
Experts-
I have a situation in which client has a requirement to setup both FTP and SFTP adapters (from adapetive adapters) for the same interface. They want to have a copy of file locally and also want a file to be sent out securly using SFTP. In my interface which was previously developed they have used one business system and added FTP and SFTP to the same. If try to add new Receiver Agreement it will say that the object already exists as the Interface Mapping is same.
Please send me any suggestions which would resolve my problemHi Hari,
As you cannot create two Receiver agreement using only one receiver interface , please create a new receiver Interface, add that in interface determination step and then assing a different channel to new receiver agreement.
If your requirement is to store the file ,i would suggest write the file in your unix directory using NFS( /usr/sap...). then run a AFT job (if already set up in your landscape) to transfer file securly to target destination.Not sure if its feasible in your case otherwise you can use SFTP for the secure transfer.
Best Regards
Srinivas -
Dreamweaver CS5.5 and SFTP
Greetings
I am trying to connect to my FTP Server with Dreamweaver using SFTP (port 22). I can connect using FTP (port 21). I can also connect using the same credentials, with SFTP using CuteFTP client.
Any suggestions?Jive
Sorry, no I am not able to connect to the FTP server. The credentials are
correct. I can connect using a ftp client and Coldfusion Builder but, I
cannot connect through Dreamweaver or Contribute.
I hope that helps.
Sincerely
Ray Bakker
Web Developer | Corporate Information & Technology | City of Thunder Bay
T: 807.625.3024 | F: 807.623.3999 | E: [email protected]
http://www.thunderbay.ca
From: SnakEyez02 <[email protected]>
To: Ray Bakker <[email protected]>
Date: 02/11/2011 12:08 PM
Subject: Dreamweaver CS5.5 and SFTP
Re: Dreamweaver CS5.5 and SFTP
created by SnakEyez02 in Dreamweaver - View the full discussion
So based on this last post you are able to connect but you are not able to
transfer files. And based on the error I will assume uploading new files
is ok, it's just the overwriting that is causing an issue or uploading,
even new files, to a specific folder is causing an issue. Can you verify
that the ownership settings are correct on your account (you may need to
contact your host to fix if this is the issue)?
Replies to this message go to everyone subscribed to this thread, not
directly to the person who posted the message. To post a reply, either
reply to this email or visit the message page: [
http://forums.adobe.com/message/4003679#4003679]
To unsubscribe from this thread, please visit the message page at [
http://forums.adobe.com/message/4003679#4003679]. In the Actions box on
the right, click the Stop Email Notifications link.
Start a new discussion in Dreamweaver by email or at Adobe Forums
For more information about maintaining your forum email notifications
please go to http://forums.adobe.com/message/2936746#2936746.
The information transmitted by electronic communication is intended
only for
the person or entity to which it is addressed and may contain
confidential
and/or privileged material. The sender does not waive any related
rights or
obligations. Any review, re-transmission, dissemination or other
use of, or
taking of any action in reliance upon this information, by persons
or entities
other than the intended recipient, is prohibited. If you received
this in
error, please contact the sender and delete the material from any
computer -
Howto to get the year timestamp in syslog and logadm files
5.10 Generic_141414-10 sun4u sparc
Howto to get the year timestamp in syslog and logadm
We have to keep logs files for a long time, I was exploring logs in /var/adm/secure and noticed that log files over a year old did not have a year time stamp, they are in this format:
Nov 12 09:09:16
And on the face of it. /varlog/syslog is the same, I thought no problem, there will be something in syslog.conf or logadm.conf I change and it will be fixed, but I cannot find any options to change this, how do I get the year in my log files?
The "date" command does output the year:
Friday, September 14, 2012 7:57:36 AMMy guess is that the fields in a message logged by syslog are fixed, so you can't add a field to it.
The reason for this is simply that there might be other applications parsing your syslog messages, or there might be other systems syslogging to your system, and that would break if you would add fields.
The easiest workaround is probably to keep better track of your logs by either implementing an annual rotation of them from crontab, or log the date using the "logger" command on a regular basis.
A third option would be to look at syslog-ng or rsyslog, which is more flexible when it comes to storing logs, and among other things can store them into a SQL db..
.7/M. -
Native SSH and SFTP in LabVIEW
At the risk of re-opening a can of worms, is there any consideration for adding native SSH and SFTP support for LabVIEW?
Using PuTTy/plink is cumbersome and not cross-platform.
Calling a .NET (or any other) external assembly is cumbersome and not cross-platform.
Labwerx SSH has a terrible licensing model (not to mention the additional cost).
It is 2015, and SSH/SFTP is ubiquitous and not going away. These protocols should be natively supported in LabVIEW.
I have seen this idea on the exchange (http://forums.ni.com/t5/LabVIEW-Idea-Exchange/Native-SSH-and-SFTP-Support/idi-p/1141529), but there hasn't been any movement in 5 years. I would appreciate any news from NI here, even in the negative. If LabVIEW isn't going to support SSH anytime soon, it would be better to find out now.
Solved!
Go to Solution.I doubt it is likely to happen any time soon - the LabSSH toolkit is pretty reasonably priced when you compare it to how long it would take you to implement the functionality yourself and there is nothing to stop you from implementing it yourself using the TCP/IP functions which are in LabVIEW. You can of course use the command-line interface to something like WinSCP / PuTTy as well.
I did also find a wrapper that someone had made for an Open Source .NET SSH library called Renci
I downloaded a copy from this thread: http://forums.ni.com/t5/LabVIEW/Plink-PuTTY-works-30-of-the-time-using-System-Exec-vi/td-p/3002261
There is also another implementation of the wrapper here: https://decibel.ni.com/content/docs/DOC-41388
Certified LabVIEW Architect, Certified TestStand Developer
NI Days (and A&DF): 2010, 2011, 2013, 2014
NI Week: 2012, 2014
Knowledgeable in all things Giant Tetris and WebSockets -
hi, what is the difference between FTPS and SFTP and does XI support FTPS and SFTP. Please elaborate.
krishnanHi also have a look at this
if u want to view the difference between FTPS (that XI supports) and SFTP, please refer this link
http://www.enterprisedt.com/forums/viewtopic.php?p=136&sid=28d66491b43c6bf90448deea4936bc15
HTTPS / SFTP with XI
Hey have a look at the following also
http://en.wikipedia.org/wiki/FTPS
Thanks !! -
ACE and ANM, Syslog and SNMP Traps
Hi guys.. another ACE/ANM question.
I configured the ACE devices to send Syslog and SNMP messages to the ANM server. But i got a couple of questions:
Whats the difference between using the:
logging history 4 (this would send logging messages as SNMP traps according to doc)
And:
snmp-server host x.x.x.x traps version 2c public
snmp-server trap-source vlan 1000
This of course I think should do the same..
The funny and weird thing, in the ANM Event viewer, I can only see syslog messages, not one snmp event.
Thanks!
Omar
PS: ACE ver A2.4
ANM Ver 4.2Hi Omar,
Let's see if I can clarify your questions.
As you mentioned, the "logging history 4" command specifies that, syslog messages of severity 4 and higher will be sent as SNMP traps. After you configure it, you need the "snmp-server host x.x.x.x traps version 2c public" command to specify what will be the destination IP and SNMP community for these traps.
It would only make sense to use the "logging history 4" command if your monitoring application doesn't support receiving syslog messages. However, since ANM is able to get syslog messages from the ACE without issues, I would just configure a destination for syslog message instead (with "logging host x.x.x.x")
I hope this makes this point more clear.
Now, moving on to why you are not seeing any SNMP traps in your ANM, the first things you would need to check are:
-- Did you enable traps? You would use the "ACE(config)# snmp-server enable traps" command for this
-- Are traps being sent? You can use the "show snmp" command and check if the "Trap PDUs" counter increases
-- Is ANM getting these traps? This is the most complicated step. For this, I would recommend getting a traffic capture on the ANM server (if it's installed on linux) or as close as possible to it if it's a ANM appliance
I hope this helps
Daniel -
[Solved] New Arch installation: Where is syslog and/or messages?
I have a new installation of Arch via the 2012.11.01 install disk. I'm wondering, and this is probably a dumb question, but, where is the syslog and/or message log files? I don't see them under /var/log anymore.
Thanks for the help,
jin
Last edited by jin (2012-11-10 20:25:32)I think this article will be helpful.
-
JDev 11.1.1.4.0 Support for SSH and SFTP
Using JDeveloper 11.1.1.4.0
I've tried researching Oracle docs, but find nothing on Secure FTP (SFTP). Does Oracle ADF have built-in SSH and SFTP Java libraries? If not, has anyone had success with the Java libraries from SourceForge or is there something better out there?
Thanks,
TroyThere is no build in ftp or ssh library in jdev. I used http://commons.apache.org/net/ in one of my project.
Timo -
CiscoWorks Syslog and TFTP servers
Hi!
Is it possible to disable CiscoWorks syslog and tftp servers and thus
free ports 514 and 69 for other applications?
Thank you,
Oleg Tipisov,
REDCENTER,
MoscowThe problem is that I don't know what service needs to be stopped.
Do I need to kill the process (crmlog, crmtftp) ?
Maybe you are looking for
-
SSO to R3 not working after system copy
Hi Experts, Recently our QA R3 client XXX was deleted and the whole system was rebuild using system copy of client ZZZ of R3 production. Now we had to reconfigure the SSO between portal and QA R3 with the new client. But it is not working. It was fou
-
How to dismiss "This plug-in may require an update" warning
Like in this thread, if a Audio unit plug-in crashes during launch, GarageBand will block that plugin, presumably until a later version is installed. An error has occured with an installed Audio Unit plug-in. GarageBand unexpectedly quit while trying
-
Hi, I am having problems getting Captivate 5 to produce output files that function correctly with an AICC based LMS. The published presentation either does not produce the correct AICC calls to the LMS or produces no calls at all - not sure at presen
-
Dynamic groups in Portal?
Hi, Is it possible to use the OID dynamic groups in Portal? It seems that the users of a dynamic group can't been seen in Portal: could someone tell me more about that? When will the dynamic groups be implemented in Portal? Thanks, Magali
-
Demand for Phantom parts ?
We have a BOM, where parent part (say 'A') is defined 'Phantom' item. And this is the topmost part and this BOM is not part of any other BOM. My question is, will ASCP generate demand for component defined under part 'A' ? We are not seeing any deman