Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Robert Gease
November 1, 2004, 5:55 pm
rate this thread
/usr/lib/ssh/sftp-server in /etc/passwd (solaris 9).
Everything works, but when I do try to login with the account
it hangs indefinitely and requires me to enter about 5-6X
before it actually does kick me out.
If I do not press enter, it will show up in who as logged in,
and will sit there indefinitely.
This seems like odd behavior and I am wondering if there is
a default I need to change somewhere?
Any help appreciated.
- Richard E. Silverman
November 2, 2004, 3:09 am
RG> I set up a no login sftp account by adding
RG> /usr/lib/ssh/sftp-server in /etc/passwd (solaris 9).
RG> Everything works, but when I do try to login with the account it
RG> hangs indefinitely and requires me to enter about 5-6X before it
RG> actually does kick me out.
RG> If I do not press enter, it will show up in who as logged in, and
RG> will sit there indefinitely.
RG> This seems like odd behavior
It's not odd; it's exactly to be expected. You have not set up a
"no-login" account; if you had, it wouldn't do you much good. You have an
account which can log in just as before; you've simply changed which
program is run on login. The program is the sftp server; it is waiting
for its peer to begin speaking the sftp protocol. It has no timeout, and
will wait indefinitely for the peer to begin.
When you hit the enter key over and over, you are sending gibberish which
it can't parse as part of the sftp protocol. When it sees enough of this,
it closes the connection.
RG> and I am wondering if there is a default I need to change
Not really. What you want (I think) is to reject connections intended to
get an interactive shell, while allowing ones intending to do sftp. In
fact, the SSH server does get this information, at least sort of -- sftp
clients generally start the server using an SSH-2 subsystem request, while
simple remote command execution or an interactive shell are started using
different channel requests. Ideally, you'd configure the SSH server to
accept only sftp subsystem requests for this account, and reject other
channel types. You don't say what SSH server software you're using, but I
can't think of any product with that capability. Failing that, you might
try something ad-hoc -- like a wrapper for sftp-server that exits if
there's a tty on stdin.
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum