Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] sftp without without a valid shell?
  • From: John Ritchie <ritchiej@xxxxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 9 Dec 2001 07:23:32 -0800 (PST)
  • Message-id: <Pine.LNX.4.33.0112090714030.9809-100000@xxxxxxxxxxxxxxxxxxxxxxxxx>
On Tue, 4 Dec 2001, Boris Lorenz wrote:

> Hi John,
>
> On 01-Dec-01 John Ritchie wrote:

[much stuff cut]

> >
> > The way I solved this (on Solaris with Openssh) was to set the sftp-only
> > user's shell to be the sftp-server binary (/usr/local/libexec/sftp-server
> > on my Solaris openssh build). I did not have to add this to /etc/shells.
> > I haven't tried this on a SuSE box.
>
> I've tried it on one of our linux boxes, and it doesn't work. The error:
>
> "Warning: ssh_packet_wrapper_input: invalid packet received: len 1819239269
> closing the offending input channel."
>
> (Btw., the same error occurs with shells like false, noshell, etc.).
>
> Maybe Solaris "wraps" sftp/ssh sessions differently than Linux. According to
> sftp's (Linux-)man page, sftp uses a sub-system from sshd to transfer files
> securely. I don't know much about the ssh implementation on Solaris, tho.

I remember encountering this error while testing but I got around it
somehow. I'm thinking it had to do with versions of openssh (or maybe I
saw that on the commercial SSH server?) or misconfigured sshd_config (sftp
subservice not turned on?) or something like that. I'm sorry I don't
remember the details; it's been several months and I didn't document it so
it's gone. Sorry I can't be more exact.

I tested using the sftp-server as shell on a SuSE 7.0 machine with openssh
2.9.9p2-27 and it worked for me. What version of ssh are you using?

John



< Previous Next >
Follow Ups
References