Bonjour,
Suite à mon précédent post, je cherche toujours une solution pour un sftp sécurisé. J’ai lu plusieurs tuto, essayé plus d’un.
J’utilise ssh pour me connecté à mon raspberry sur lequel il y’a raspbian wheezy, certains programmes ne semble pas aimer.
Enfin bref, j’ai choisis d’utiliser rssh, avec ce tuto: trustonme.net/didactels/318.html
et celui-ci pour compléter (que j’avais fait premièrement mais le script proposé ne fonctionnait pas):http://www.isalo.org/wiki.debian-fr/index.php?title=Serveur_sftp_%2Brssh%2Bchroot
ou encore: serveur-sftp-shell-reduit-rssh-et-chroot-t27796.html
Je précise que je peux parfaitement me connecter en ssh, sftp ou utiliser scp sur les autres utilisateurs de ma raspberry.
Tout d’abord la réaction quand j’essaie de me connecter:
sftp -v -P 22222 share@raspberry
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to raspberry [78.114.61.114] port 22222.
debug1: Connection established.
debug1: identity file /home/turlutton/.ssh/id_rsa type -1
debug1: identity file /home/turlutton/.ssh/id_rsa-cert type -1
debug1: identity file /home/turlutton/.ssh/id_dsa type -1
debug1: identity file /home/turlutton/.ssh/id_dsa-cert type -1
debug1: identity file /home/turlutton/.ssh/id_ecdsa type -1
debug1: identity file /home/turlutton/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3
debug1: match: OpenSSH_6.0p1 Debian-3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 24:fa:0c:50:44:6f:3a:ac:a8:aa:49:0c:26:b8:a0:66
debug1: Host '[raspberry]:22222' is known and matches the ECDSA host key.
debug1: Found key in /home/turlutton/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/turlutton/.ssh/id_rsa
debug1: Trying private key: /home/turlutton/.ssh/id_dsa
debug1: Trying private key: /home/turlutton/.ssh/id_ecdsa
debug1: Next authentication method: password
share@raspberry's password:
debug1: Authentication succeeded (password).
Authenticated to raspberry ([78.114.61.114]:22222).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = fr_FR.UTF-8
debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 1864, received 1600 bytes, in 0.2 seconds
Bytes per second: sent 7527.2, received 6461.1
debug1: Exit status 1
Connection closed
J’ai la même chose avec localhost.
syslog:
Jan 22 10:34:03 raspberrypi rssh[26623]: setting log facility to LOG_USER
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing sftp to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing scp to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing rsync to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: setting umask to 022
Jan 22 10:34:03 raspberrypi rssh[26623]: chrooting all users to /home/share
Jan 22 10:34:03 raspberrypi rssh[26623]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
daemon.log
Jan 22 10:34:03 raspberrypi rssh[26623]: setting log facility to LOG_USER
auth.log
Jan 22 10:34:02 raspberrypi sshd[26615]: Accepted password for share from 31.33.24.168 port 55684 ssh2
Jan 22 10:34:02 raspberrypi sshd[26615]: pam_unix(sshd:session): session opened for user share by (uid=0)
Jan 22 10:34:03 raspberrypi sshd[26622]: subsystem request for sftp by user share
Jan 22 10:34:03 raspberrypi sshd[26622]: Received disconnect from 31.33.24.168: 11: disconnected by user
Jan 22 10:34:03 raspberrypi sshd[26615]: pam_unix(sshd:session): session closed for user share
debug
Jan 22 10:34:03 raspberrypi rssh[26623]: setting log facility to LOG_USER
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing sftp to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing scp to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing rsync to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: setting umask to 022
Jan 22 10:34:03 raspberrypi rssh[26623]: chrooting all users to /home/share
user.log (même chose que debug)
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing sftp to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing scp to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: allowing rsync to all users
Jan 22 10:34:03 raspberrypi rssh[26623]: setting umask to 022
Jan 22 10:34:03 raspberrypi rssh[26623]: chrooting all users to /home/share
Jan 22 10:34:03 raspberrypi rssh[26623]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
Concernant l’application des tutos:
/etc/rssh.conf
logfacility = LOG_USER
allowsftp
allowscp
allowrsync
umask = 022
chrootpath="/home/share"
(rssh.conf: -rw-r–r-- 1 root root 99 janv. 21 19:28 rssh.conf)
/home/share: (ll -R)
[code]total 44K
drwxr-xr-x 6 share share 4,0K janv. 21 23:33 ./
drwxr-xr-x 4 root root 4,0K janv. 21 16:35 …/
-rw------- 1 share share 641 janv. 21 22:00 .bash_history
-r–r--r-- 1 share share 220 janv. 21 16:35 .bash_logout
-r–r--r-- 1 share share 3,4K janv. 21 17:05 .bashrc
drwxr-xr-x 2 share share 4,0K janv. 21 23:27 dev/
drwxr-xr-x 2 share share 4,0K janv. 21 23:34 etc/
drwxr-xr-x 2 share share 4,0K janv. 21 19:17 lib/
-rw-r–r-- 1 114 124 249 déc. 20 18:58 pistore.desktop
-r–r--r-- 1 share share 675 janv. 21 16:35 .profile
drwxr-xr-x 4 share share 4,0K janv. 21 19:07 usr/
./dev:
total 8,0K
drwxr-xr-x 2 share share 4,0K janv. 21 23:27 ./
drwxr-xr-x 6 share share 4,0K janv. 21 23:33 …/
crw-r–r-- 1 share share 1, 3 janv. 21 23:27 null
./etc:
total 12K
drwxr-xr-x 2 share share 4,0K janv. 21 23:34 ./
drwxr-xr-x 6 share share 4,0K janv. 21 23:33 …/
-rw-r–r-- 1 share share 24 janv. 21 23:34 passwd
./lib:
total 1,7M
drwxr-xr-x 2 share share 4,0K janv. 21 19:17 ./
drwxr-xr-x 6 share share 4,0K janv. 21 23:33 …/
-rwxr-xr-x 1 share share 124K janv. 21 19:17 ld-linux-armhf.so.3*
-rw-r–r-- 1 share share 46K janv. 21 19:17 libbsd.so.0
-rwxr-xr-x 1 share share 7,2K janv. 21 19:15 libcofi_rpi.so*
-rwxr-xr-x 1 share share 1,2M janv. 21 19:16 libc.so.6*
-rw-r–r-- 1 share share 111K janv. 21 19:14 libedit.so.2
-rw-r–r-- 1 share share 129K janv. 21 19:16 libgcc_s.so.1
-rw-r–r-- 1 share share 111K janv. 21 19:17 libtinfo.so.5
./usr:
total 16K
drwxr-xr-x 4 share share 4,0K janv. 21 19:07 ./
drwxr-xr-x 6 share share 4,0K janv. 21 23:33 …/
drwxr-xr-x 2 share share 4,0K janv. 21 19:03 bin/
drwxr-xr-x 4 share share 4,0K janv. 21 22:46 lib/
./usr/bin:
total 196K
drwxr-xr-x 2 share share 4,0K janv. 21 19:03 ./
drwxr-xr-x 4 share share 4,0K janv. 21 19:07 …/
-rwxr-xr-x 1 share share 26K janv. 21 19:03 rssh*
-rwxr-xr-x 1 share share 58K janv. 21 19:03 scp*
-rwxr-xr-x 1 share share 98K janv. 21 19:03 sftp*
./usr/lib:
total 16K
drwxr-xr-x 4 share share 4,0K janv. 21 22:46 ./
drwxr-xr-x 4 share share 4,0K janv. 21 19:07 …/
drwxr-xr-x 2 share share 4,0K janv. 21 22:46 openssh/
drwxr-xr-x 2 share share 4,0K janv. 21 19:09 rssh/
./usr/lib/openssh:
total 64K
drwxr-xr-x 2 share share 4,0K janv. 21 22:46 ./
drwxr-xr-x 4 share share 4,0K janv. 21 22:46 …/
-rwxr-xr-x 1 share share 54K janv. 21 19:10 sftp-server*
./usr/lib/rssh:
total 36K
drwxr-xr-x 2 share share 4,0K janv. 21 19:09 ./
drwxr-xr-x 4 share share 4,0K janv. 21 22:46 …/
-rwsr-xr-x 1 share share 26K janv. 21 19:09 rssh_chroot_helper*
[/code]
Note: comme vous pouvez le voir, contrairement aux tutos, mon rssh_chroot_helper est par exemple dans /usr/lib/rssh j’ai en fait reproduis l’arborescence que moi j’ai. Mais peut être que c’est rssh qui a besoin de ce fichier et qu’il faut le mettre dans l’arborescence proposé, je ne sais pas. J’ai fait comme il m’a semblé le plus logique.
Confirmé par ce post: forum.parallels.com/printthread.php?t=84683
/home/share/etc/passwd
Je ne suis pas sur de ce fichier j’ai fait comme dans ce tuto: sd12s.fdn.fr/realisations/tutos/ … hroot.html
/etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
pi:x:1000:1000:,,,:/home/pi:/bin/bash
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
ntp:x:102:104::/home/ntp:/bin/false
statd:x:103:65534::/var/lib/nfs:/bin/false
messagebus:x:104:106::/var/run/dbus:/bin/false
usbmux:x:105:46:usbmux daemon,,,:/home/usbmux:/bin/false
lightdm:x:106:109:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:107:110:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:108:112:RealtimeKit,,,:/proc:/bin/false
smmta:x:109:113:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:110:114:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:111:115:MySQL Server,,,:/nonexistent:/bin/false
share:x:1001:1002:,,,:/home/share/:/usr/bin/rssh
/etc/ssh/sshd_conf
[code]# Package generated configuration file
See the sshd_config(5) manpage for details
What ports, IPs and protocols we listen for
Port 22222
Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Set this to ‘yes’ to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of “PermitRootLogin without-password”.
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to ‘no’.
UsePAM yes
Mettre ici les utilisateurs qui peuvent se connecter en ssh
Allowusers share
AllowUsers pi
#AllowUsers autre_user_a_qui_vous_autorisez_ssh
[/code]
Bon voilà, je vous est blindé d’info, j’espère que c’est pas trop brouillon. Si vous avez besoin d’autres choses …
Merci de votre implication