# sftp session being closed

## Peter_

Hi all,

I am setting up rssh to limit some users to sftp only. However when I try to login the session is closed as soon as the password is accepted.

I followed the http://gentoo-wiki.com/HOWTO_SFTP_Server_%28chrooted%2C_without_shell%29 but noticed that

when I did a ldd /usr/bin/scp I got

```

   linux-gate.so.1 =>  (0xffffe000)

   libresolv.so.2 => /lib/libresolv.so.2 (0xb7f7c000)

   libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7eaa000)

   libutil.so.1 => /lib/libutil.so.1 (0xb7ea6000)

   libz.so.1 => /lib/libz.so.1 (0xb7e97000)

   libnsl.so.1 => /lib/libnsl.so.1 (0xb7e82000)

   libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e55000)

   libc.so.6 => /lib/libc.so.6 (0xb7d45000)

   libdl.so.2 => /lib/libdl.so.2 (0xb7d41000)

   /lib/ld-linux.so.2 (0xb7f96000)

```

I have a funny feeling that it is something to do with the linux-gate.so.1 file....

My rssh.conf is

```

logfacility = LOG_USER 

allowsftp

umask = 022

user=harold:022:00010:/home/harold

```

and syslog shows the following for a login attempt

```

Feb  3 06:07:51 localhost rssh[22705]: setting log facility to LOG_USER

Feb  3 06:07:51 localhost rssh[22705]: allowing sftp to all users

Feb  3 06:07:51 localhost rssh[22705]: setting umask to 022

Feb  3 06:07:51 localhost rssh[22705]: line 51: configuring user harold

Feb  3 06:07:51 localhost rssh[22705]: setting harold's umask to 022

Feb  3 06:07:51 localhost rssh[22705]: allowing sftp to user harold

Feb  3 06:07:51 localhost rssh[22705]: chrooting harold to /home/harold

```

I would appreciate any help with this and to understand what the problem is.

Many Thanks

Peter

----------

## Peter_

Well I found out what linux-gate.so.1 is and why it shows up the way it does. See http://www.trilithium.com/johan/2005/08/linux-gate/

Still doesn't help me   :Crying or Very sad: 

----------

## Peter_

Have been doing some more testing and worked out that it I mustn't have the chroot setup properly. When I change rssh.conf to not chroot, everything works fine.

Could anyone give some pointers on how to track down what is wrong with my chroot. I have double checked that I followed the rssh wiki to the letter but still no joy  :Exclamation: 

----------

## bigbob73

 *Peter_ wrote:*   

> Have been doing some more testing and worked out that it I mustn't have the chroot setup properly. When I change rssh.conf to not chroot, everything works fine.
> 
> Could anyone give some pointers on how to track down what is wrong with my chroot. I have double checked that I followed the rssh wiki to the letter but still no joy 

 

I share your pain, but unfortunatly cannot get it to work either.  when i change a users shell to /usr/bin/rssh logins will fail.  Change to /bin/bash, logins work, but no jail.   :Crying or Very sad: 

----------

## Peter_

Yes bigbob73, it certainly is painful  :Exclamation: 

I think I may have some insight which may help you with your problem. Try removing the chroot option from the rssh.conf and setting a user's shell to /usr/bin/rssh. You should find that the user only has access to sftp and/or scp, if it was allowed in rssh.config, but no shell access. 

When you set a user's shell to /bin/bash you are no longer using rssh.

----------

## bigbob73

 *Peter_ wrote:*   

> Yes bigbob73, it certainly is painful 
> 
> I think I may have some insight which may help you with your problem. Try removing the chroot option from the rssh.conf and setting a user's shell to /usr/bin/rssh. You should find that the user only has access to sftp and/or scp, if it was allowed in rssh.config, but no shell access. 
> 
> When you set a user's shell to /bin/bash you are no longer using rssh.

 

OK.  That gets me connected with no shell, but I still have access to the root filesystem.  The only 2 people to use this account is my dad and I.  Seems pretty low risk, but you never know...

----------

## Peter_

You can control access to the rest of the root directory by file permissions.

I'm going to give setting up the rssh chroot another go later. If I still don't succeed I'll give scponly a try as it does a similar thing to rssh.

----------

## bigbob73

 *Peter_ wrote:*   

> You can control access to the rest of the root directory by file permissions.
> 
> I'm going to give setting up the rssh chroot another go later. If I still don't succeed I'll give scponly a try as it does a similar thing to rssh.

 

does scponly work thru sshd?  I use winSCP and Putty to connect.  It works great except for the jail part.

----------

## Peter_

Both scponly and rssh work through sshd. My understanding of what happens is that sshd does the user authentication and then calls the shell for that user. If the user's shell is rssh or scponly then these shells controls what the user can and can't do, not sshd.

The setup I'm working on is for two system admins to be able to login remotely with full access, but other users are limited to sftp upload/download with no valid shell to execute commands and chrooted to the home directory.

So what I do is set the shell to rssh for all users except the system admins. This does what I want except I just can't get the %^&% chroot to work  :Mad: 

----------

## neonknight

 *Peter_ wrote:*   

> Hi all,
> 
> I am setting up rssh to limit some users to sftp only. However when I try to login the session is closed as soon as the password is accepted.
> 
> I followed the http://gentoo-wiki.com/HOWTO_SFTP_Server_%28chrooted%2C_without_shell%29 but noticed that

 

I had the same problem and I found a mistake in that howto. 

This was missing:

```
# cp /lib/libcrypt.so.1 lib
```

(lib is the lib-subdirectory of your chroot).

HTH

----------

## bigbob73

 *neonknight wrote:*   

>  *Peter_ wrote:*   Hi all,
> 
> I am setting up rssh to limit some users to sftp only. However when I try to login the session is closed as soon as the password is accepted.
> 
> I followed the http://gentoo-wiki.com/HOWTO_SFTP_Server_%28chrooted%2C_without_shell%29 but noticed that 
> ...

 

Thanks for the tip.  unfortunately, I still can't get in.  It keeps asking if I have a running rssh-server.  If I give the user another shell, they can log in, but not jailed.   :Sad: 

----------

## bigbob73

 *Peter_ wrote:*   

> Both scponly and rssh work through sshd. My understanding of what happens is that sshd does the user authentication and then calls the shell for that user. If the user's shell is rssh or scponly then these shells controls what the user can and can't do, not sshd.
> 
> The setup I'm working on is for two system admins to be able to login remotely with full access, but other users are limited to sftp upload/download with no valid shell to execute commands and chrooted to the home directory.
> 
> So what I do is set the shell to rssh for all users except the system admins. This does what I want except I just can't get the %^&% chroot to work 

 

is the jail really nessisary at this point?  If they're shell is /usr/bin/rssh, they couldn't do anything destructive.

----------

## neonknight

What happens when you just execute 

```
/usr/lib/misc/rssh_chroot_helper 2 "/usr/lib/misc/sftp-server"
```

? Any error-reports?

I don't know if you need a chroot, but I always say "better safe than sorry"  :Smile:  I do never trust a user except for me, so they shouldn't get a chance to leave their home and potentially have the possibility to read data they should not be able to read.

----------

## bigbob73

 *neonknight wrote:*   

> What happens when you just execute 
> 
> ```
> /usr/lib/misc/rssh_chroot_helper 2 "/usr/lib/misc/sftp-server"
> ```
> ...

 

I get no output from this.  I guess I'll just have to live on the edge.  Thanks!

----------

## Peter_

```
/usr/lib/misc/rssh_chroot_helper 2 "/usr/lib/misc/sftp-server"
```

Gave no output for me as well.

----------

## Peter_

 *neonknight wrote:*   

> 
> 
> I had the same problem and I found a mistake in that howto. 
> 
> This was missing:
> ...

 

The Howto has this line in it. Also it came up when I did ldd of scp.

I have deleted the chroot files and start again with still the same result.

----------

## Peter_

Ok I give up  :Confused: 

I copied all of etc, lib, usr/lib & usr/libexec into the chroot directory but I still get the same result - Connection Closed.

Can anyone please give me some pointers in tracking this down and setting up the chroot environment?

----------

## DeathFire

Some problems here, I can't chroot the users but it seems to work fine otherwise.

Anyone have any other ideas to try? I am all out of them.

----------

## a_me

EDIT:

sorry, just now i read:

Peter_ http://www.trilithium.com/johan/2005/08/linux-gate/

 *DeathFire wrote:*   

> Some problems here, I can't chroot the users but it seems to work fine otherwise.
> 
> Anyone have any other ideas to try? I am all out of them.

 

I have exactly the same problem with rssh as well as with scponly. The strange thing 

```
ldd usr/lib/misc/sftp-server 

        linux-gate.so.1 =>  (0xffffe000)

        libresolv.so.2 => /lib/libresolv.so.2 (0xb7f62000)

        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7e5d000)

        libutil.so.1 => /lib/libutil.so.1 (0xb7e59000)

        libz.so.1 => /lib/libz.so.1 (0xb7e48000)

        libnsl.so.1 => /lib/libnsl.so.1 (0xb7e33000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e05000)

        libc.so.6 => /lib/libc.so.6 (0xb7ced000)

        libdl.so.2 => /lib/libdl.so.2 (0xb7ce8000)

        /lib/ld-linux.so.2 (0xb7f83000)

```

gives me "linux-gate.so.1" as a dependency. But i cant find it anywhere on the system. 

The auth.log gives me the following error:

scponly[6798]: running: /usr/lib/misc/sftp-server (username: user(1001), IP/port: 192.168.0.1 60631 22)

scponly[6798]: failed: /usr/lib/misc/sftp-server with error Permission denied(13) (username: user(1001), P/port: 192.168.0.1 60631 22)

so i am almost sure that the problem has something to do with this library. 

Can anyone help me to find it?   :Confused: 

Thanks in advance

----------

## hurra

Bump  :Laughing: 

Same Problem.

With enabled chroot, i can't login. If i disable it, i can login.

perhaps someone already solved the Problem.

Thanks.

Cu hurra

----------

## ats2

Hi there,

did you finally get an answer or find some trick to make it work ? None of the things I have tried would work, and I tried everything I've read in this forum  :Sad: 

----------

## a_me

No.

I am also still interested in finding a solution.

By now, I changed the permissions of the folders - one gets a message "permission denied" when trying to leave the speficied chroot jail.

----------

## qcaze

Hi

I had the same problem and tried just about everything.. Then found:

 *Quote:*   

> 
> 
> mkdir /your/chroot/dir/dev
> 
> mknod -m 666 /your/chroot/dir/dev/null c 1 3
> ...

 

https://forums.gentoo.org/viewtopic-p-3345440.html#3345440

- seems to be working  :Very Happy: 

----------

