Schlagwort-Archive: lang:en

Restricted sftp access with rssh and ssh chroot

Schreibe eine Antwort

OpenSSH 4.9 was the first version of the famous daemon that came with an built-in chroot functionality (changelog). Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files. We will use the rssh shell to only allow sftp access for one user, locked to his chrooted home directory. Since it is dangerous to give a user write access to the root of a chroot, you have to create the user’s home directory inside the chroot. In this example /home/ftp will be the chroot and /home/ftp/secftp is the home directory of the user, the place where he finds himself when connecting to the machine.

Install the rssh shell with

$ aptitude install rssh

and adjust the config file for the user secftp to allow sftp access.

$ vim /etc/rssh.conf

user=secftp:027:00010 #user:umask:proto

Then add the new user secftp (with /secftp as home and /usr/bin/rssh as shell) to your system and set a password.

$ useradd -d /secftp -s /usr/bin/rssh -g users secftp
$ passwd secftp

Create the directory and adjust the ownership so secftp can read/write and other group members can read the uploaded files.

$ mkdir -p /home/ftp/secftp
$ chown secftp:users /home/ftp/secftp

Edit your sshd configuration and add the user specific options for your chroot. Don’t forget to add secftp to your AllowUsers (which you should have configured :)).

$ vim /etc/ssh/sshd_config

AllowUsers secftp

Subsystem sftp internal-sftp

Match User secftp
   ChrootDirectory /home/ftp
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

Restart the sshd daemon and you should be done.

Sources:
http://www.gossamer-threads.com/lists/openssh/dev/44657
http://hp.kairaven.de/scpsftp/ssh-rssh-sftp.html
http://www.debian-administration.org/articles/590

Running TweetDeck on the Linux XFCE desktop

2 Antworten

Update: For a full tutorial on how to setup Adobe Air and Tweetdeck on 64bit Ubuntu, take a look here.

Starting TweetDeck on a Linux desktop other then Gnome or KDE will result in the error message

Oops, TweetDeck can’t find your data

because TweetDeck doesn’t support them by default. But you only get to know about it, when starting from the command line

Unknown desktop manager, only Gnome and KDE are supported

To use TweetDeck you need e.g. a running gnome-keyring-daemon, otherwise TweetDeck doesn’t know how to save your account/password information. To start TweetDeck change the DIRNAME to your needs and use this script.

#!/bin/bash
GNOME_KEYRING=`pidof gnome-keyring-daemon`
DIRNAME=“/opt/TweetDeck/bin“
GNOME_DESKTOP_SESSION_ID=$GNOME_KEYRING $DIRNAME/TweetDeck &

Virtual Box: Shared Folder on Linux host and Linux guest

Schreibe eine Antwort

Much like setting up a shared folder on a Linux host and a Windows guest, you need to create the folder to share on your host system and add it to your shared folders list in Virtualbox. You also need a mountpoint inside your virtual system (in this case: /mnt/VirtualBoxExchange).
Mounting it is done with the command

mount -t vboxsf VirtualBoxExchange /mnt/VirtualBoxExchange

Done.

Using a SSH config file

Schreibe eine Antwort

Create the config file in your .ssh directory if it doesn’t already exist.

touch /home/pat/.ssh/config

Open the file and add your configuration:

Host xmp
HostName example.com
User username
Port 2222

Where Host is the name of the shortcut. You can also add other options like

PubkeyAuthentication yes
PasswordAuthentication no
ServerAliveInterval 25
ServerAliveCountMax 150

or another Host to your configuration. Take a look at the ssh_config manpage for more options.
You can now use your shortcut with

ssh xmp

Opera Mini on Android also a Proxy-Browser

Schreibe eine Antwort

Today Marc Ruef released an article about Opera Mini on the iPhone and pointed out that all traffic is routed through Opera’s own proxy server. Opera isn’t allowed to use his own rendering engine on the iPhone because of Apple’s strict license. Opera Mini just provides another frontend for Apple’s safari engine, while the rendering happens on Opera’s server.
Users of Opera Mini should be aware that all their traffic could be analysed and used for data mining.

A quick test reveals that the Android version of Opera Mini also uses Opera’s own server as a proxy.

t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog HTTP/1.1“ 301 198 „http://www.carrier-lost.org/blog/about/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“
t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog/ HTTP/1.1“ 200 3886 „http://www.carrier-lost.org/blog/about/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“
t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog/wp-content/themes/decoder/img/bg-meta.gif HTTP/1.1“ 404 2400 „http://www.carrier-lost.org/blog/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“

Where t09-07.opera-mini.net is the proxy server.

syslog-ng on vServer with Debian Lenny

1 Antwort

Starting syslog-ng on a vServer with Debian Lenny fails with the message:

/etc/init.d/syslog-ng restart
Starting system logging: syslog-ng
Error opening file for reading; filename=’/proc/kmsg’, error=’Operation not permitted (1)’
Error initializing source driver; source=’s_all’ failed!
Error initializing source driver; source=’s_all’

You have to comment out a few lines in /etc/syslog-ng/syslog-ng.conf since syslog-ng doesn’t have direct access on the kernel messages. Under „Sources“

file(”/proc/kmsg” log_prefix(”kernel: “));

and

# kern.* -/var/log/kern.log
log {
source(s_all);
filter(f_kern);
destination(df_kern);
};

Syslog-ng should start just fine now.