OpenSSH: Changing Groups Default Directory

[BinaryData]

I'm not very well versed in Linux, I'm in the process of studying my Linux+.

I'm working on a variety of projects with friends, co-workers, and teachers. I'm currently the only person in all of these groups who has large storage space.

I've got SSH running on Port 40 (will be changed after I get everything working and configured).

Here's my problem:

How do I make group x's directory be on J:/ (Network Drive).

 

Would this below work:

Create the shared folder:

• sudo mkdir /home/Shared

Create the new user's group:

• sudo addgroup newgroup

Change ownership of the shared folder to the new group:

• sudo chown :newgroup /home/Shared

Add your desired users to that group:

• sudo adduser user1 newgroup

Source of Quote

instead of /home/Shared:

• sudo chown :newgroup //192.168.1.112/j

Forgive the noobiness. I'm sorry for all the posts! D:

[+BudMan MVC]

since when in linux is there a shared J: drive? 

 

Linux doesn't use drive letters, share would just be mounted to a folder on the linux box.

 

Ie to linux that \\computername\sharename would just look like /home/shared

 

You need to mount your remote share to a local folder on the linux box, and then yes you can set whatever permissions you want there.

[BinaryData]

  On 27/05/2016 at 10:50, BudMan said:

since when in linux is there a shared J: drive? 

 

Linux doesn't use drive letters, share would just be mounted to a folder on the linux box.

 

Ie to linux that \\computername\sharename would just look like /home/shared

 

You need to mount your remote share to a local folder on the linux box, and then yes you can set whatever permissions you want there.

Expand  

Ahhhh... No wonder Google kept returning with OpenSSH for Windows stuff. Makes more sense. 

[BinaryData]

Well, I've got the share mounted, every user I've made can see it without having to run any commands. It's permanently mounted.

 

Though my problem now, is that I can't get their directory defaulted to /media/storage, which is where it's mounted at.

 

I've changed the groups directory to /media/ but that doesn't seem to work, I've tried /media/storage/ but that doesn't work either.

 

I can login via sftp with root, and navigate there by going up levels and then to media/storage, but I want it to directly connect to /media/storage and have the "storage" folder as default.

 

So frustrating, most of the tutorials have old information, or it's not quite what I'm looking for.

 

when I try to use filezilla, this is the response I get;

 

Command:    open "dreadstarx@<Redacted_IP>" 40
Command:    Pass: *************
Error:    Network error: Software caused connection abort
Error:    Could not connect to server

 

I really should've backed up before I started doing things, haha. Guess I learned my lesson.

 

Edit:

 

Couldn't get sshfs to work for me, so I kept Googling and came to the conclusion that cifs would be better for accessing a Windows Share.

[DaveLegg Developer]

What you probably want to do, is set the following in the sshd_config file, then restart ssh

 

Match Group newgroup
  ChrootDirectory /media/storage
  ForceCommand internal-sftp
  AllowTcpForwarding no
  PermitTunnel no
  X11Forwarding no

You'll need to set the correct permissions on that directory - I can't remember off the top of my head what they need to be.

 

Essentially what this does is:

• ChrootDirectory - show that directory as / in their SFTP client, so they can't navigate up from it, and browse around the rest of the filesystem
• ForceCommand - sets it so that when they login, the SFTP server is immediately started, they can't get a bash prompt and mess with your system, they can ONLY use SFTP
• AllowTcpForwarding - Don't let them use SSH port forwarding
• PermitTunnel - Don't allow them to create an SSH based VPN tunnel
• X11Forwarding - Don't allow them to run X11 apps, and forward the GUI to their machine

[BinaryData]

Hey Dave,

 

Thanks for the response. I've got those added for "newgroup".  If I remove "newgroup" I can connect with userX to my home directory. When I tried to sudo chmod /media/storage, it gives a permission denied.

 

chmod: changing permissions of ‘/media/storage’: Permission denied
 

The folder "storage" is the "root directory" for the Share. I think I should have done /media/share/storage.

 

If push comes to shove, I'll just make a single user, and let this group use a single account with restricted access. I would like to figure this out.

[+BudMan MVC]

huh?  Root folder of share??  So your sharing out your folder you mounted your share too?

 

Dude this is really not that complicated.

 

Create a folder on your linux box, put what permissions you want on it.  Mount your windows box that has your storage to this folder..

[BinaryData]

  On 29/05/2016 at 12:37, BudMan said:

huh?  Root folder of share??  So your sharing out your folder you mounted your share too?

 

Dude this is really not that complicated.

 

Create a folder on your linux box, put what permissions you want on it.  Mount your windows box that has your storage to this folder..

Expand  

I changed things up a little bit. I moved it from /media/storage to /media/share/storage. Someone suggested that I might run into problems later on. No big deal, it's moved and everything is working properly. Except that group.

 

I think that's where I went wrong,  BudMan. I mounted the drive first, without setting permissions. I'll give that a whirl when I get home. I've got the share working fine, I can navigate to it without "Match Group" or "Match User" in the sshd_config. 

 

If I have either of those Match lines in there, I get this;

  Quote

Status: Connecting to <redacted>:40...
Response: fzSftp started, protocol_version=5
Command: open "dreadstarx@<redacted>" 40
Command: Pass: *************
Error: Network error: Software caused connection abort
Error: Could not connect to server

Expand  

sshd_config

  Reveal hidden contents

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Match Group usergroup

ChrootDirectory /media/share/
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no

 

fstab

  Reveal hidden contents

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=5f2dbb81-1a0a-48a6-a878-c9a19b5f78a3 / ext4 errors=remount-ro 0 1
# swap was on /dev/sda5 during installation
UUID=c102ca61-434c-4976-8087-bdf2e8867ad3 none swap sw 0 0
//sm-server/j /media/share/storage cifs credentials=/home/username/.smbcredentials,iocharset=utf8,gid=1001,file_mode= 0777,dir_mode=0777 0 0

 

i think my fstab may be wrong. My last question would be; when chown'ing files for root;

 

I've followed the guide; Guide, at the bottom, however I do have a question in regards to this specifically; does it need to be root.root or root:root. Also, I don't use root to login, I have another username, is it still root.root/root:root or username.username/username:username?

 

It may not be difficult for you, but it is for me. The last time I touched Linux was back in 2010 for a Computer class. The only thing they taught us was how to do basic crap. I've learned a hell of a lot since I've started screwing with this. I'm hoping I can over come this problem, and be able to successfully replicate it again in the future when I upgrade or move storage boxes.
 

[Haggis Veteran]

when you did...

 

chmod: changing permissions of ‘/media/storage’: Permission denied
 

did you use sudo?

[BinaryData]

Yeah. I did use sudo. Though, I mounted the drive first, then tried to chmod it. Wondering if that's where my error went. That and I super derped and wasn't doing this as root. I haven't used Linux in forever, so I did everything under my Admin account, lol.

[+BudMan MVC]

how did you mount it?  your users are not going to match up to your windows users, unless you set that all up - your going t want to set noperm on your mount command.

[BinaryData]

  On 30/05/2016 at 10:55, BudMan said:

how did you mount it?  your users are not going to match up to your windows users, unless you set that all up - your going t want to set noperm on your mount command.

Expand  

See. Everything has told me to set permissions for it to be root. You would think that it would be noperm. I'll give that a whirl. I don't wanna screw it up too much more, I'll make a back up and then mess with it.

[+BudMan MVC]

It depends on how your accessing your share, do the linux accounts match up to window accounts?   Your users can not mount directly so you have to do a bit of a work around.

 

So yeah you could mount with noperm, so all your linux users can access these files.  How you mount with what account on windows permissions will still be followed.  So if you don't want them to have write then the windows account you mount with does not have write per ntfs, etc.  And then nobody on linux box would be able to write anything..   Setup the permissions how you want them via your windows account.  Mount the share to your linux with that account using noperms, now all linux users would have that access to that mount.

 

 

[BinaryData]

Alright. Sounds reasonable, though everyone should be able to R/W on it. I've copied files there before, renamed files, so I can access it. I can access it through SSH, but what my goal is; is to lock it down to where they CAN'T see any files on the Linux box unless I give them access. I want to make them able to login into SSH and change their passwords.

 

Guess you could say I just want to use the Linux box as a "man in the middle" access point. I know I'm asking a lot of myself and others, especially with my skill level. I trust these guys, I just want to make things a little more strict.

[+BudMan MVC]

What does the noperms setting on this mount have to do with any other folders on the linux box?

 

If you want them to have r/w on this folder that you mount some windows share too, then use an account to mount it with that windows gives r/w too.

[BinaryData]

Well, after a few hours of screwing around with it, and listening to two German's get drunk laughing at me. We got it working. The problem was partially due to permissions being restrictive on x folder by folders y and z had no permissions on them. The ChrootDirectory was all fubar'd as well. So, sftp server hadn't a clue what to do, so it denied it. Not sure if /media/share/ fixed something, verse /media/share.

 

But in the end, I learned that not setting permissions with root can be a giant pain in the ass. I learned a lot with this, and I'm making a back up now, haha.

[+BudMan MVC]

From my experience with you.. Does not matter what was discussed or stated you learned.. Give it a few minutes and its like the conversation never happened.  Your like a true life dory from nemo, who aspires to be patrick from sponge bob

 

[BinaryData]

  On 30/05/2016 at 17:43, BudMan said:

From my experience with you.. Does not matter what was discussed or stated you learned.. Give it a few minutes and its like the conversation never happened.  Your like a true life dory from nemo, who aspires to be patrick from sponge bob

 

Expand  

Just too much going on in my head. Thinking about things and worrying about things that don't need to be worried about.  Bills aren't due till the 31st, but I'm already worrying about them.

 

Totally thought I could run PRTG on my Linux box, but NOPE it's gotta be on a Windows machine. That'll be nice when I have some VMs to play with!

[+BudMan MVC]

"Just too much going on in my head"

 

Well stop it or seek help.. Its very frustrating trying to help you.. When you forget what we discussed and you stated you understood, etc..  I don't mind getting a bat and beating an explanation into someone, we can use crayons and puppets if that is what it takes for the information to take hold.  But when that person states ok now it makes sense, and then few minutes later, day later clearly not.. Its very frustrating!!!

[BinaryData]

What's also frustrating is that you don't understand how difficult it is for me to learn something. You seem to have a lack of patience with people when they don't understand things. If you explain something, explain it to a third grader, if they don't understand it, you didn't explain it well enough. I'm fairly smart, but networking is a whole new ball park for me. That's why I haven't screwed with my router/switch yet. I also wanted to wait until I get the rest of my gear, just the three switches, and ESXi. I'm not going to ask for much help anymore, once I get it working, I'm going to save the configs, and play with things.

 

I've accomplished everything I've wanted too, minus the 3 new switches, and re-configuring my network. For now, I'm happy.

[+BudMan MVC]

Dude I have explained ###### to you like your in preschool..  And your taking college courses, shouldn't have to freaking have to do that!!

You state you get it, and then some comment that is complete contraindication..

 

I am pretty freaking sure that you working in a datacenter and still don't actually understand the difference between layer 2 and 3..  Please explain it to us, because I don't think you get it after pages and pages of discussion from both me ans sc302 and you actually working with it as your job..  You rack and stack stuff in DC do you not...

[BinaryData]

  On 02/06/2016 at 11:21, BudMan said:

Dude I have explained ###### to you like your in preschool..  And your taking college courses, shouldn't have to freaking have to do that!!

You state you get it, and then some comment that is complete contraindication..

 

I am pretty freaking sure that you working in a datacenter and still don't actually understand the difference between layer 2 and 3..  Please explain it to us, because I don't think you get it after pages and pages of discussion from both me ans sc302 and you actually working with it as your job..  You rack and stack stuff in DC do you not...

Expand  

I rack and stack, and run cables. I set iDRAC/iLO IP Addresses, more iDrac than iLo. I don't do ANYTHING with Networking other than replace SFPs, Cables or run new things. We're everyone elses bitch for work. I haven't looked at the OSI Model in 2+ Years when I was doing my Cisco classes, even then I didn't care about it. I just wanted to graduate and get the hell out of Job Corps. You seem to think that I have a larger understanding of things, the fact that I had to ASK you for help with configuring my Router and Switch should've been your first clue. Had I known more and understood the OSI Model, would I have had to ask you and sc302 about it? Would I have had to ASK the difference between the two? You really don't seem to get that I can understand a lot, but it takes awhile for me to do it. In terms of things, yes I'm a retard. Not in your usual thinking of down syndrome, but I lack a certain processing capability in my brain, which is part of Short Term Memory Loss. I'm pretty sure I've explained this to you before. I was born this way, it got worse when i was in a car accident and smashed my head into the the back of the seat of a 80s Mercedes Benz, mind you those head rests hurt like hell. I've stopped coming to you for questions after you've compared me to Dory, which is portrayed as a mentally challenged fish, also quite insulting, and then you compared me to Patrick from SpongeBob. Again, quite insulting. So let's put it simple for you BudMan, your ego is so god damn big, you can't seem to understand that no one else here can match you with knowledge. But you know what? No one gives a flying ###### at all. We come here because we enjoy it, and occasionally need help. I don't care if I have to ask sc302 to explain it to me like an imbecile. He's happy to help, regardless of how long it takes. Why? Because he has two things that you seem to lack. 1. PATIENCE. 2. And a desire to teach. Your approach doesn't work. i asked a very simple question, and you gave me 4 paragraphs of useless crap that made me even more confused. I had to ask sc302 in a private conversation to understand what you were talking about. Out of everything I've learned from talking to you is; Yes you possess a vast knowledge of IT related things, and even non-related but trying to understand you, is like talking to Alan Turing from the Imitation Game. Not everyone understands what you're saying. But don't worry, I'll either ask sc302 for help, or flat out just give up. I won't come to you for help anymore because it's more of a waste of my time to ask you, climb through a damn jungle, to find out that I did everything wrong. Do you know why I haven't switched my gear yet? Because I don't want to deal with having to ask you for help. sc302 is more than willing, and rather enjoys teaching others. His life has gotten a lot busier, and I don't want to be the ###### asking him for help constantly. I deal with people like you all the time, I hate having a mental processing problem, it drives me insane. I've struggled my entire life with it, I barely graduated high school because of it. I spent an entire summer studying science before my senior year JUST so I can start off better. I spent hours studying after school, late night cram sessions weeks before tests. I barely passed with a 71.9% as my final grade. Mind you 70% or lower was considered failing. I told you to let me get some things squared away in my education, so I can focus on it more. My time is split between work, studying, family, health, and fixing up where I live.  I removed you from the blocked list after a week, which I hope you had cooled off but clearly it needs to be longer. So with that said, cheers BudMan, thanks for everything you've done. And I will try harder to understand things, I can't learn at your pace, I have to go with what I'm capable of. If that means it takes me a year of solid studying to get the basic understanding of networking, then so be it.

[Steven P. Administrators]

Op requested lock, locking.