Mail Archives: cygwin/2003/08/13/15:08:05
I played with this a bit last night and chatted with a few friends and I
think I found my solution.
I created a directory on the my "D Drive" and called it SSH_SHARED (ie
d:\ssh_shared)
I copied these files to it:
c:\program files\openssh\bin\cygcrypto-0.9.7.dll to
d:\ssh_shared\bin\cygcrypto-0.9.7.dll
c:\program files\openssh\bin\cygwin1.dll to d:\ssh_shared\bin\cygwin1.dll
c:\program files\openssh\bin\sh.exe to d:\ssh_shared\bin\sh.exe
c:\program files\openssh\etc\moduli to d:\ssh_shared\etc\moduli
c:\program files\openssh\usr\sbin\sftp-server.exe to
d:\ssh_shared\usr\sbin\sftp-server.exe
and created a directory called d:\ssh_shared\pub\ (where I'll put the files)
at the end of my sftponly script I added the line:
chroot /cygdrive/d/ssh_shared /bin/sh -i "$@"
(in place of the exec /bin/sh)
I downloaded chroot.exe from a cygwin mirror in release/sh-utils/
(keep in mind I am using michaels openssh distribution so it's not included)
and put it into c:\program files\openssh\bin
then I restarted the service.
when I ssh into the machine here is my output:
Last login: Wed Aug 13 11:53:32 2003 from wwww.xxxx.com
Could not chdir to home directory /home/SSHUSER: No such file or directory
Sorry, sftp only!
Connection to yyyy.zzzz.net closed.
USER AT localhost:~$
when I sftp into the machine, it is sucessful.
When I try a cd /cygdrive/c/windows I get:
sftp> cd /cygdrive/d/windows
Couldn't canonicalise: No such file or directory
sftp>
When I try a cd .. I get the same thing.
I'm not very impressed with the transfer rates that I'm getting, but it
may be the encryption overhead. It would also be nice to package this
someday as an alternative to the many windows' ftp servers out there.
Thanks to everyone who helped me out on this.
Johnny
Igor Pechtchanski wrote:
> Glad I could help. chroot is tricky to set up, you might want to search
> the net for some working examples. DENY ACLs are a feature of
> WinNT-based
> systems (Win2k, WinXP, etc) -- they are not a feature of Cygwin proper.
> Igor
>
> On Tue, 12 Aug 2003, jwaterbrook wrote:
>
> > "Ssh passes no parameters to the login shell by default"
> > This is exactly what was confusing me. Thank you for clarifying.
> > I redirected $* to a file and logged in different ways, sftp gave me
> > output as you said, so this part of it works now.
> >
> > I looked at chroot, but I can't seem to get it to take.
> > Where/how can I include this in my sftponly script?
> > I don't think DENY ACL's is an option in this distribuition. Any info
> > on it would also be helpful
> >
> > Thanks,
> > Johnny
> >
> >
> > Igor Pechtchanski wrote:
> >
> > > Johnny,
> > >
> > > Ssh passes no parameters to the login shell by default (as your
> output
> > > clearly shows). You have to check for the parameters passed by other
> > > programs, like sftp (make sure you don't print things to stdout, as
> > > they'll be interpreted as program messages -- better redirect the
> output
> > > to some log file). FYI, I was able to restrict ssh access to sftp
> > > only by
> > > using the following script as the login shell:
> > >
> > > =================== CUT HERE ===================
> > > #!/bin/sh
> > > echo Parameters: "$@" >> /tmp/sshlogin.log
> > > if [ "$*" != "-c /usr/sbin/sftp-server" ]; then
> > > echo "Sorry, sftp only!"
> > > exit 1
> > > fi
> > > exec /bin/bash "$@"
> > > =================== CUT HERE ===================
> > >
> > > Checking /tmp/sshlogin.log after trying to use other programs with
> ssh
> > > (e.g., cvs) should give you an idea of what exact parameters they
> pass,
> > > and accomodate them in your script if need be.
> > >
> > > BTW, one important thing to know is that the above script *will not*
> > > prevent anyone from accessing /cygdrive/c/WINNT/system32, for
> example.
> > > If you want that kind of access restrictions, look at the "chroot"
> > > utility
> > > ("man chroot") or use DENY ACLs.
> > > Igor
> > >
> > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > >
> > > > I decided to give that a shot, however, as I expected, that gave no
> > > > output either.
> > > > ---OUTPUT---
> > > > Last login: Tue Aug 12 10:50:24 2003 from xxxx.yyyy.com
> > > > Parameters:
> > > > $
> > > > ---END OUTPUT---
> > > >
> > > > Somehow, nothing is getting passed. Like I said before, it
> could be
> > > the
> > > > distribution. If anyone has any free time, download it and see
> what
> > > I'm
> > > > talking about.
> > > > It's such a wonderful quick solution, It would be nice to get this
> > > so it
> > > > can act as a "substitute" for a normal ftp server (and even
> better for
> > > > some cases only using a single port).
> > > >
> > > > Adieu,
> > > > Johnny
> > > >
> > > > Igor Pechtchanski wrote:
> > > >
> > > > > You might try to change that script to
> > > > >
> > > > > #!/bin/sh
> > > > > echo "Parameters: $@"
> > > > > exec /bin/sh "$@"
> > > > >
> > > > > Hope this helps,
> > > > > Igor
> > > > > On Tue, 12 Aug 2003, jwaterbrook wrote:
> > > > >
> > > > > > A comment about the script method:
> > > > > >
> > > > > > for some reason, this didn't seem to return any result.
> > > > > > I added /usr/bin/sftponly to the passwd file instead of
> /bin/sh or
> > > > > > /bin/switch
> > > > > > and created a /usr/bin/sftponly file with this inside:
> > > > > > #!/bin/sh
> > > > > >
> > > > > > echo "$*"
> > > > > >
> > > > > > /bin/sh
> > > > > >
> > > > > > however, this did not create any output. So I have a feeling,
> > > nothing
> > > > > > is being passed in this build.
> > > > > >
> > > > > > I may be going at this the wrong way, so if anyone would
> like to
> > > correct
> > > > > > me, please do so.
> > > > > >
> > > > > > Thanks,
> > > > > > Johnny
> > > > > >
> > > > > >
> > > > > > Igor Pechtchanski wrote:
> > > > > >
> > > > > > > The thread starting at
> > > > > > > <http://cygwin.com/ml/cygwin/2003-07/msg01379.html>
> > > > > > > might be of help.
> > > > > > > Igor
> > > > > > >
> > > > > > > On Mon, 11 Aug 2003, jwaterbrook wrote:
> > > > > > >
> > > > > > > > I haven't seemed to get very far with this,
> > > > > > > > I was hoping someone might be able to point a blind man in
> > > the right
> > > > > > > > direction
> > > > > > > >
> > > > > > > > Waterbrook, Johnny wrote:
> > > > > > > >
> > > > > > > > > I'd prefer not to start a new thread, but I've been
> > > searching for the
> > > > > > > > > past few hours with no luck.
> > > > > > > > >
> > > > > > > > > I needed a fast way to set up sftp on a winXP box, so I
> > > did a little
> > > > > > > > > google search and found lexa.mckenna.edu/sshwindows/
> had a
> > > clean and
> > > > > > > > > easy way of doing this.
> > > > > > > > > I changed the regestry setting "/home" to a different
> > > drive, and the
> > > > > > > > > passwd file's entry form :/home/USERNAME: to :/home: so
> > > when my "auts
> > > > > > > > > ex-uncle" wants to login to my sftp server, they can't
> > > browse my windows
> > > > > > > > > directory structure.
> > > > > > > > >
> > > > > > > > > However, when my "aunts ex-uncle" realizes he can also
> ssh
> > > into the box,
> > > > > > > > > I don't want him running "windows" commands such as cmd,
> > > nbtstat, dir
> > > > > > > > > etc. I just want to "limit" him to what is available in
> > > /bin I guess.
> > > > > > > > >
> > > > > > > > > Am I going about this wrong? Is there a cygwin/openssh
> > > implemenation
> > > > > > > > > that "stands alone" from windows so I could set up a sftp
> > > server much
> > > > > > > > > like a normal ftp server?
> > > > > > > > >
> > > > > > > > > Thanks in advance,
> > > > > > > > > Johnny
>
> --
> http://cs.nyu.edu/~pechtcha/
> <http://cs.nyu.edu/%7Epechtcha/>
> |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu
> ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com
> |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
> '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
>
> "I have since come to realize that being between your mentor and his
> route
> to the bathroom is a major career booster." -- Patrick Naughton
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -