dropbear & rssh chroot

Karl. kmw1 at free.net.nz
Thu Jul 27 13:05:47 WST 2006 

On Fri, Jul 21, 2006 at 03:06:10PM +0800, Matt Johnston wrote:
> On Fri, Jul 21, 2006 at 06:57:30PM +1200, Karl. wrote:
> > I've recently been setting up a rssh chroot for securely 'sharing' some
> > files via sftp - it's working fine with openssh, but I haven't yet got
> > it going with dropbear.
> 
> I can't think of any intrinsic reason why it shouldn't work
> though I haven't looked that closely at how rssh works.
> Does it fail with a particular error message?
 
OK.  After the encouragement of being told it should work, I managed to 
find the problem while gathering the documentation for my "Why doesn't 
it work?" email   :-)

Here's the relevant info:

Right now I'm running a dropbear server on one port and an openssh one 
on another port.  Both are nonstandard port numbers.  Both daemons are 
working for ssh shell logins.  I only allow public key auth, with the 
relevant key loaded into ssh-agent.  Running Debian Testing with 
dropbear 0.48.1-1 and openssh 1:4.3p2-2  

====
on the openssh port:

   $ sftp -o Port=44444 lsa at 192.168.1.6
   Connecting to 192.168.1.6...
   sftp>

====
on the dropbear port:

   $ sftp -o Port=33333 lsa at 192.168.1.6
   Connecting to 192.168.1.6...

   This account is restricted by rssh.
   Allowed commands: sftp 

   If you believe this is in error, please contact your system 
   administrator.

   Connection closed

====
syslog for openssh attempt shows:

Jul 27 16:02:06 localhost rssh[5305]: setting log facility to LOG_USER
Jul 27 16:02:06 localhost rssh[5305]: allowing sftp to all users
Jul 27 16:02:06 localhost rssh[5305]: setting umask to 022
Jul 27 16:02:06 localhost rssh[5305]: chrooting all users to /home/chroot
Jul 27 16:02:06 localhost rssh[5305]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
Jul 27 16:02:06 localhost rssh_chroot_helper[5305]: new session for lsa, UID=1023
Jul 27 16:02:06 localhost rssh_chroot_helper[5305]: user's home dir is /home/chroot/lsa
Jul 27 16:02:06 localhost rssh_chroot_helper[5305]: chrooted to /home/chroot
Jul 27 16:02:07 localhost rssh_chroot_helper[5305]: changing working directory to /lsa (inside jail)

====
syslog for dropbear attempt shows:

Jul 27 16:03:53 localhost rssh[6017]: setting log facility to LOG_USER
Jul 27 16:03:53 localhost rssh[6017]: allowing sftp to all users
Jul 27 16:03:53 localhost rssh[6017]: setting umask to 022
Jul 27 16:03:54 localhost rssh[6017]: chrooting all users to /home/chroot
Jul 27 16:03:54 localhost rssh[6017]: user lsa attempted to execute forbidden commands
Jul 27 16:03:54 localhost rssh[6017]: command: /usr/lib/sftp-server

====

Paying attention to the logs, I see that dropbear is trying to 
call the sftp-server at usr/lib/ whilst openssh is calling it at 
usr/lib/openssh/ - one is symlinked to the other, and that would be 
fine in normal circumstance, but obviously it's not going to be 
acceptable to rssh!

Changing my sftp invocation to specify the rssh-compliant path yields 
the happy result: 

   $ sftp -o Port=33333 -s /usr/lib/openssh/sftp-server lsa at 192.168.1.6
   Connecting to 192.168.1.6...
   sftp>

So, I can connect from the command-line now.  :-)

The remaining problem is when I try to connect using WinSCP or Tunnelier 
(the main purpose of this rssh chroot is to allow restricted access for 
an untrusted Windows box) - these gui tools don't allow me to specify a 
path for sftp-server.

I imagine I will need to recompile dropbear with the altered path - I 
have a faint recollection of reading something about Debian having 
changed some openssh paths as part of the packaging setup.

Thank you, Matt, for your encouragement and for writing dropbear  :-)

Karl.

More information about the Dropbear mailing list