rssh testing - SSH

This is a discussion on rssh testing - SSH ; I'm new to rssh, but I need to make it work. Server is Fedora Core 3. I've installed rssh-2.2.3-1.1.fc3.rf using rpm. These are also installed: openssh-3.9p1-8.0.3 openssh-clients-3.9p1-8.0.3 openssh-askpass-gnome-3.9p1-8.0.3 openssh-server-3.9p1-8.0.3 openssh-askpass-3.9p1-8.0.3 I've configured /etc/rssh.conf according to docs, read the man pages ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: rssh testing

  1. rssh testing

    I'm new to rssh, but I need to make it work.

    Server is Fedora Core 3.

    I've installed rssh-2.2.3-1.1.fc3.rf using rpm.

    These are also installed:

    openssh-3.9p1-8.0.3
    openssh-clients-3.9p1-8.0.3
    openssh-askpass-gnome-3.9p1-8.0.3
    openssh-server-3.9p1-8.0.3
    openssh-askpass-3.9p1-8.0.3

    I've configured /etc/rssh.conf according to docs, read the man pages
    on rssh and rssh.conf.

    Since I've never used this before, I'm not sure exactly what to
    expect.

    As root, I try this:

    [root@lnxweb2 /var/ftp]# rssh

    This account is restricted by rssh.
    Allowed commands: sftp

    If you believe this is in error, please contact your system
    administrator.

    [root@lnxweb2 /var/ftp]#


    This doesn't seem right, I would think I should get a command prompt,
    but it seems to simply exit and without any error message that might
    lead me to what is wrong. The only part that seems correct is the
    fact that sftp is allowed, that I configured in /etc/rssh.conf.


    Help with this would be greatly appreciated.






  2. Re: rssh testing

    In article <446243be.196953359@news.iswest.com> no.spam@gte.net (Scott
    Gravenhorst) writes:
    >
    >As root, I try this:
    >
    >[root@lnxweb2 /var/ftp]# rssh
    >
    >This account is restricted by rssh.
    >Allowed commands: sftp
    >
    >If you believe this is in error, please contact your system
    >administrator.
    >
    >[root@lnxweb2 /var/ftp]#
    >
    >
    >This doesn't seem right, I would think I should get a command prompt,
    >but it seems to simply exit and without any error message that might
    >lead me to what is wrong. The only part that seems correct is the
    >fact that sftp is allowed, that I configured in /etc/rssh.conf.


    I've never used rssh, but apparently it's intended to be used as the
    login shell for accounts that are only to be allowed to run the
    configure commands via ssh. It is not intended as an interactive shell,
    which is what you are trying to test - or rather, it is supposed to
    specifically prevent any interactive use, which would be attempted if
    you tried to simply do an interactive login on that account (i.e. 'ssh
    user@host' or any other method to obtain an interactive login).

    The following is more than a little simplified, but good enough to show
    the principle... When you invoke the sftp client, it basically runs

    ssh user@host sftp-server

    I.e. it requests that the SSH server runs the command 'sftp-server'
    instead of giving an interactive shell - just as if you run, say, 'ssh
    user@host echo foo', you would just get the "foo" back and then the
    connection would close, having executed the requested command - you
    never get a prompt from the remote login shell.

    The ssh server does however make use of the remote login shell to run
    the command, by invoking

    $SHELL -c sftp-server

    - the -c option being standard across all shells and meaning "run the
    command given as the next argument" (see the man page for your favorite
    shell). So, in the case where rssh is the account's login shell, the ssh
    server will run

    rssh -c sftp-server

    And that is something you could possibly try, and *not* get an error
    message (but instead get "hung" with the sftp-server expecting you to
    speak the sftp protocol to it:-). Note though that the sftp-server
    command may not be in your $PATH and the command may actually fail for
    that reason, and in real life the ssh server will normally instead run
    the command that is specified for "Subsystem sftp" in sshd_config
    (e.g. on my FreeBSD box here it is /usr/libexec/sftp-server) - as I
    said, this is a bit simplified.

    In any case trying to run anything *else* via -c, e.g. 'rssh -c ls',
    should be rejected - as should not giving -c and a following arg at all,
    which you already verified. A more meaningful test might be to actually
    test an account that has rssh as login shell, since that's your goal
    anyway:

    All of these should be rejected:

    ssh user@host
    ssh user@host echo foo
    trying to log in as 'user' in any other way, e.g. on console

    - while this should work:

    sftp user@host

    --Per Hedeland
    per@hedeland.org

+ Reply to Thread