RHEL6 上的 SFTP 服务器在 ls 上断开连接

tag-icon tag-icon rhel sftp
RHEL6 上的 SFTP 服务器在 ls 上断开连接

我已按照概述的步骤操作这里创建 chrooted sftp 环境。除了命令 ls 之外,一切都很好。当我使用任何标志执行 ls 时,我会立即断开连接。

当我对 PID 进行 strace 时,我得到了这个(没有比这更好的了。

有任何想法吗?我束手无策。

`Process 7071 attached - interrupt to quit
 select(5, [3], [], NULL, NULL)          = 1 (in [3])
 read(3, "\0\0\0\n\v\0\0\0\2\0\0\0\1/", 16384) = 14
 open("/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
 select(5, [3], [4], NULL, NULL)         = 1 (out [4])
 write(4, "\0\0\0\rf\0\0\0\2\0\0\0\4\0\0\0\0", 17) = 17
 select(5, [3], [], NULL, NULL)          = 1 (in [3])
 read(3, "\0\0\0\r\f\0\0\0\3\0\0\0\4\0\0\0\0", 16384) = 17
 getdents(5, /* 3 entries */, 32768)     = 80
 lstat("/.", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
 stat("/etc/localtime", 0x7fff44193d90)  = -1 ENOENT (No such file or directory)
 open("/etc/localtime", O_RDONLY)        = -1 ENOENT (No such file or directory)
 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 socket(PF_FILE, SOCK_STREAM, 0)         = 4
 fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
 fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
 fcntl(4, F_SETFL, O_RDWR)               = 0
 connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 open("/etc/group", O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
 socket(PF_FILE, SOCK_STREAM, 0)         = 4
 fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
 fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
 fcntl(4, F_SETFL, O_RDWR)               = 0
 connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 lstat("/..", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
 open("/etc/localtime", O_RDONLY)        = -1 ENOENT (No such file or directory)
 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
 socket(PF_FILE, SOCK_STREAM, 0)         = 4
 fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
 fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
 fcntl(4, F_SETFL, O_RDWR)               = 0
 connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 open("/etc/group", O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
 socket(PF_FILE, SOCK_STREAM, 0)         = 4
 fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
 fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
 fcntl(4, F_SETFL, O_RDWR)               = 0
 connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 lstat("/attreport", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
 open("/etc/localtime", O_RDONLY)        = -1 ENOENT (No such file or directory)
 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
 socket(PF_FILE, SOCK_STREAM, 0)         = 4
 fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
 fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
 fcntl(4, F_SETFL, O_RDWR)               = 0
 connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 open("/etc/group", O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
 socket(PF_FILE, SOCK_STREAM, 0)         = 4
 fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
 fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
 fcntl(4, F_SETFL, O_RDWR)               = 0
 connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 getdents(5, /* 0 entries */, 32768)     = 0
 select(5, [3], [4], NULL, NULL)         = -1 EBADF (Bad file descriptor)
 sendto(7, "<83>Feb 27 22:02:23 sshd[7071]: "..., 66, MSG_NOSIGNAL, NULL, 0) = -1 EBADF (Bad file descriptor)
 close(7)                                = -1 EBADF (Bad file descriptor)
 socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
 connect(4, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 ENOENT (No such file or directory)
 close(4)                                = 0
 exit_group(2)                           = ?
 Process 7071 detached

`

答案1

这最终成为了Likely Open 的一个问题。 “ls”是 sftp 时唯一尝试解析 UID/GID 的命令,在这样做时,它同样会进行解析,一旦解析,它就会崩溃。

/etc/nsswitch.conf 设置为首先使用文件:

passwd:     files lsass
shadow:     files
group:      files lsass

但由于某种原因,它仍然同样进行。解决方案是将正确的组添加到“RequireMembershipOf”,对于 RHEL6,该组位于 /opt/likewise/bin/lwconfig.txt

答案2

有同样的问题,但在 RHEL 5.5 上运行。
Openssh-server 5.x 使用内部 chroot 以及匹配语句和 pbis AD 集成。找到了两个解决方法:

  1. 更改密码和组行/etc/nsswitch.conf

    passwd:     files lsass

    看起来像:

    passwd:     files [UNAVAILABLE=return] lsass

  2. 在 chroot 环境的根目录中创建/etc/passwd和文件。/etc/group文件只需要根据底层文件和目录的所有者保存最少量的记录。

答案3

如果你sftp只运行你可以配置你sshd使用内部 SFTP。 sftp 将在最小版本中内置所有命令 - chroot 只需要 /dev/null,零,随机,urandom上班。ls也将是一个内置命令。

不用再费力地让 chroot 中的二进制文件和库保持最新状态了......

答案4

对我来说,通过复制 /和到我的 chroot解决了sftpls通过 chroot 失败而 sftp成功的类似错误。似乎不需要任何文件。尽管我对远程 cifs 挂载进行了 chroot,但似乎没有必要进行任何更改。getetc/group/etc/passwd/dev/etc/nsswitch.conf

相关内容