Everybody Staze...

Nobody leavz...

chroot sftp on 10.5 Server

By

Looking around online, I found several instances of people wanting to chroot sftp on 10.5 server. The purpose being, they want to give access to sftp for users they may not trust, and want to keep them where they belong over sftp.

Unfortunately, there were a couple pieces missing from the instructions. So, thought I would fix that.

First, make a backup of /etc/sshd_config. While it should be easy enough to back out these changes, it’s just good practice to make a backup.

Second, create a directory for the “jail”. In my case, this was in /Volumes/Data/Websites/username.

The key here is that all directories up to and including the username directory must be read only by everyone but root when it comes to POSIX directories. So / would need to be root:group, and something like rwxr-xr-x. That goes for /Volumes, /Volumes/Data and /Volumes/Data/Websites.

The rest is all in the /etc/sshd_config

Comment out (with a #):

Subsystem sftp /usr/libexec/sftp-server

And add:

Subsystem sftp internal-sftp

At the end of the sshd_config, add:

Match User username
ChrootDirectory /Volumes/Data/Websites/username/
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

Or, if you want to enforce on a group:

Match Group usergroup
ChrootDirectory /Volumes/Data/Websites/
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

You can add both, and ssh will read from first to last. So, if you want specific users to go to specific folders, you can add them first, then end with a group policy.

Lastly, while testing this, make sure to watch /var/log/secure.log. You’ll see errors there when it doesn’t work. My problem, when working on this, was the write ability for users other than root on the parent directories. I had to systematically remove group and other write before it would work.

Those errors looked like:

fatal: bad ownership or modes for chroot directory component "/"

In the case of the root directory.

Lastly, this will remove SSH capability for the user specified. They will only be able to SFTP, but they’ll be locked into the directory specified. Great for a random student groups, in my case, that need to have a website, but you don’t necessarily want running wild on your system.

AFP, Kerberos, and 10.6

By

UPDATE: Monday after a scheduled outage, I demoted my OD replicas to standalone (safer this way, I think), then ran `mkpassdb -kerberize` on the OD Master. About 5 minutes later, I had gone from 3500 Kerberos Principals to about 9500 (about 1500 of those are really old entries that I’ll clear out over the summer). I then added the replicas back. At that point, `kinit username` for previously failing users. We shall see.

UPDATE 2: Two days after the above, we have not seen any users having problems logging in. I will be talking to my AppleCare Enterprise friend tomorrow and seeing if he can shed some light on why AFP is trying to use Kerberos even though it’s supposed to only do “Standard” auth. More to come…

UPDATE 3: Well, that was nice while it lasted. Starting this week, on Monday, we started getting 2-3 users per day that couldn’t log in. Restarting AFP is the only way to get them logging in again. So, I’ve been doing that at about 6:45am each morning. So, I’ve got an open case with Apple at this point seeing what they can figure out. So far, it’s completely stumped them. We’ll have to see.

Starting with 10.5.7, I would occasionally see users (a small subset of users) that when they tried to login from a managed client (loginwindow, 10.5.8 client), they would get an error stating “You cannot login at this time because an error occurred”. If you then went to a computer that was unmanaged, and attempted to do a “Go-Connect to Server” and connect to the server over AFP, you would be presented with their home directory, only blank. Trying to connect over SMB would work, and everything was there.

The only way to make AFP work again would be to restart the AFP process. Obviously, this was really annoying, but I never could figure out the cause. Over the course of the summer break, we upgraded to 10.6 server, and didn’t see any instances of it.

Queue Fall term. We started seeing this problem the first week of the term, though slightly different. First, the clients are still 10.5.8 since we have about 36 PPC machines still in use (all G5 iMacs). Affected users would still get “Unable to login at this time because an error occurred”. So, I email a buddy that works for AppleCare Enterprise and forward on some log entries when it happens. Only things he sees are some IPv6 related messages (which is odd, since IPv6 is disabled), and maybe a Kerberos message… which, I don’t think much about at the time. Trying to connect to the server from “Go->Connect to Server” from an unmanaged client over AFP would result in a message saying “You do not have permission for any shares on this server”. Over SMB would result in seeing the shares, but trying to mount them would give you a permission denied error.

So, I go over my notes from the 10.5.x server days, and because it seemed to make things better with 10.5 server, I change AFP’s Authorization from “Any” to “Standard”. No change in results.

I bang my head against this for several days, trying many different options, but really don’t hit upon anything until an unrelated issue, where I am playing with some ACLs, and notice that if I “Deny” “Full Control” on a folder to a certain group, the folder disappears for that group. Not just “No access”, but it full on disappears. Huh. So many the issue is some kind of permissions thing. But, as my friend at AppleCare Enterprise mentions, the Effective Permissions Inspector (http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c2fs28.html) shows the permissions are fine for the user’s home folder. Okay…

So, I dig around some more, and randomly try “kinit” for an affected user. “kinit: Unable to acquire credentials for ‘[email protected]’: Client not found in Kerberos database”. Hmmm. so I try for another affected user… same thing. I try it for all the users I’ve got records for having seen this issue. All are missing kerberos records. Well shit. So, I use kadmin to add a record for one of the users that’s seeing the problem (`kadmin -p admin -q addprinc [email protected]` then type in the admin password, and their password twice). It adds, and after propagating, I can kinit. But, AFP still doesn’t work. Few hours later, I try AFP again, and I am allowed to mount their home, but it’s blank. Holy crap! Back to the 10.5.8 symptom. So obviously I’m getting somewhere. Later that night, I restart AFP, and suddenly the user account works perfectly. Ah ha!

K, so I get a list of all the kerberos principals on the server, ~3500. Hmm… given we have about 7600 users in the OD, that seems like a problem. But, after looking at most of the users that are seeing this, I find they’re all older user accounts. Meaning they were created when the OD Master was an older machine (G4 Xserve, or an old Quicksilver) running 10.3.9 or 10.4.x (depending on how old the accounts were). All the newer accounts seem to have Kerberos records. But, when we upgraded to 10.6 Server on the OD from 10.5, it seems ALL accounts got an attribute added that says “altSecurityIdentities: Kerberos:[email protected]”. Hmm… I guess I could see this causing an issue.

So the question, other than “why do these users not have kerberos principals?” is “Why is AFP using Kerberos if it’s authorization is set to Standard?” This seems like a bug, or there’s something going on I’m not understanding. Obviously it seems the auth system in SMB changed a bit too between 10.5 and 10.6, since it used to behave differently.

Either way, I’ll be running “mkpassdb -kerberize” on the OD Master on Monday during our systems outage (there is a scheduled, 2 hour, power outage to test power resiliency on campus) (I already ran a test case on a test OD master, and it did add kerberos entries for all the users. So, that’s nice). This should hopefully resolve this issue permanently. I will update this post once I’ve kerberized all users, and things work, and I’ll update again later next week once I know whether or not it resolved the issue. I’m also expecting some info back from my friend about why this might be happening with AFP.

One thing I will say… this has really got me looking at Kerberos. Previous to this, I didn’t really use it at all on our systems. But since playing with it, it seems pretty damn cool. =)

Well, more in a few days.

PHP 5.3 upgrade

By

UPDATE: It appears there is a problem with the Entropy build of PHP 5.3.0, which prevents fopen’s from working. Not sure if it’s because it’s running on a PPC, or if there’s just something up with the build. At this point, I’ve moved back to PHP 5.2.9. In the next month or so, I’ll probably move back to PHP 5.3.1, but there will be more about that later.

So, yesterday I spent a good chunk of the day working on my website. I started with converting a couple scripts I run on the site (my gas info on the right, my power history, etc) from PEAR MDB2 to PDO. This really wasn’t that bad, and PDO seems faster, but it could just be perception.

More importantly, I upgraded PHP on the server to 5.3.0 from 5.2.9. For the most part, everything worked great… though Twitter Tools has stopped grabbing new tweets, and a few WordPress plugins are throwing errors dealing with strpos() rss.php.

The twitter tools error thrown is:
[Mon Jan 11 21:24:50 2010] [error] [client 10.0.2.1] PHP Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: System error in /path/to/website/wp-includes/class-snoopy.php on line 1142
[Mon Jan 11 21:24:50 2010] [error] [client 10.0.2.1] PHP Warning: fsockopen(): unable to connect to twitter.com:80 (php_network_getaddresses: getaddrinfo failed: System error) in /path/to/website/wp-includes/class-snoopy.php on line 1142

And yes, allow_url_fopen is enabled. Can’t figure it out at all.

The error other plugins are throwing is:
strpos() expects parameter 1 to be string, array given in /path/to/website/wp-includes/rss.php on line 577

I hope to get these fixed… but at this point, I can’t figure out what’s going on. =(

Obviously the possibilities are:

  • Bug in php
  • Bug in scripts
  • Some misconfiguration in php.ini

I don’t think it’s the last option, but I’m not 100% positive.

Anyway… that’s all for now.

Happy new year!