Dastrup Tech Logs

Easy Centos SFTP Chroot User Jail

James Dastrup — Mon, 14 Jun 2010 15:58:46 +0000

I had to set up a SFTP site for a customer which required a true chroot user jail - each user would go directly to their own home directory. Other requirements included: Users could not see other users folders, Authentication via Active Directory, and no SSH or other access.
After much research and trial-and-error, I figured out that OpenSSH simply would not work. The reason is OpenSSH, while it offers a ChrootDirectory option, has a very annoying limitation. From the man pages: “This path, and all its components, must be root-owned directories that are not writable by any other user or group.” So tell me, how do you chroot a user to their home directory if their home directory must be owned by root and not writable to the users? You can’t. You can jail the user to /home/ but then the user can see other users directories, even if they can’t access them. When trying to keep users, or clients, from seeing the names of other clients, that’s not an option.
(On a side note, I was able to get it mostly working if in the /etc/samba/smb.conf file I had this line:

template homedir = /home/%U/%U

which would create a home directory like this:

/home/joeblow/joeblow

and in /etc/ssh/sshd_config set this:

ChrootDirectory /home/%u

This would meet the security requirements, but would cause an annoyance to users since they would have to descend into a subdirectory to upload files.)
rssh is another option some people use instead of openssh, but it has the exact same limitation, in addition of requiring you to copy a bunch of system files to the chroot directory.
Then I discovered the ProFTPD Project. The current version has a module called mod_sftp, which provides sftp access. So I changed my openssh port to something other than 22, installed proftpd (actually, I had to build and install it, since I couldn’t find a current version rpm for CentOS), and it worked beautifully. There are some steps I had to do to get it working smoothly with Active Directory, but once configured, now all my customer has to do is create a new Active Directory account - nothing else at all. Once done, the user can log on and go directly to their home directory, which even gets automatically created. Below are the settings and configuration files.

First, (optional, only if you want AD authentication) build CentOS 5.5 with a working Samba and Winbind configuration (see my other post CentOS 5.2 and Winbind). Verify that AD users can log in via SSH and their home directory gets created automatically.

Change the OpenSSH port:

#/etc/ssh/sshd_config
#Port 22
Port 222  #Something other than 22

ProFTPD 1.3.3rc4 build configuration options:

./configure --prefix=/usr --sysconfdir=/etc --with-modules=mod_sftp

#/etc/proftpd.conf
ServerName                      "My SFTP Server"
ServerType                      standalone
DefaultServer                   on
IdentLookups                    off
Port                            22
UseIPv6                         off
Umask                          022
MaxInstances                    30
User                            nobody
Group                           nobody
DefaultRoot ~
AllowOverwrite          on

  DenyAll


#SFTP Support
SFTPEngine      On
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 4
SFTPOptions IgnoreSFTPUploadPerms

#Winbind support
PersistentPasswd   off
AuthPAMConfig samba
AuthPAM on
AuthOrder mod_auth_pam.c* mod_auth_unix.c

Create the proftpd init script (below) in /etc/init.d and chmod +x

#!/bin/sh
# $Id: proftpd.init,v 1.1 2004/02/26 17:54:30 thias Exp $
#
# proftpd        This shell script takes care of starting and stopping
#                proftpd.
#
# chkconfig: - 80 30
# description: ProFTPD is an enhanced FTP server with a focus towards \
#              simplicity, security, and ease of configuration. \
#              It features a very Apache-like configuration syntax, \
#              and a highly customizable server infrastructure, \
#              including support for multiple 'virtual' FTP servers, \
#              anonymous FTP, and permission-based directory visibility.
# processname: proftpd
# config: /etc/proftp.conf
# pidfile: /var/run/proftpd.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /usr/sbin/proftpd ] || exit 0

RETVAL=0

prog="proftpd"

start() {
        echo -n $"Starting $prog: "
        daemon proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/proftpd
}

stop() {
        echo -n $"Shutting down $prog: "
        killproc proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/proftpd
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status proftpd
        RETVAL=$?
        ;;
  restart)
        stop
        start
        ;;
  condrestart)
        if [ -f /var/lock/subsys/proftpd ]; then
          stop
          start
        fi
        ;;
  reload)
        echo -n $"Re-reading $prog configuration: "
        killproc proftpd -HUP
        RETVAL=$?
        echo
        ;;
  *)
        echo "Usage: $prog {start|stop|restart|reload|condrestart|status}"
        exit 1
esac

exit $RETVAL

Rotate the logs

#/etc/logrotate.d/proftp
/var/log/proftp {
    missingok
    notifempty
    daily
    rotate 7
}

Convert IIS SSL Cert to Apache

James Dastrup — Fri, 27 Nov 2009 21:07:30 +0000

Export your SSL Cert to a PFX file and include the private key. Copy it to your apache server.

# openssl pkcs12 -in www.yourdomain.com.pfx -nocerts -out www.yourdomain.key.pem
# openssl pkcs12 -in www.yourdomain.com.pfx -clcerts -nokeys -out www.yourdomain.cert.pem
# openssl rsa -in www.yourdomain.key.pem -out www.yourdomain.key

Copy contents of www.yourdomain.cert.pem between and including BEGIN CERTIFICATE and END CERTIFICATE into www.yourdomain.cert.

Here’s a sample apache virtualhost config file that includes redirecting the non-SSL site to the new SSL site:


 ServerName www.yourdomain.com
 Redirect permanent / https://www.yourdomain.com/



 ServerName www.yourdomain.com
 DocumentRoot /var/www/html
 
  AllowOverride All
 
 SSLEngine on
 SSLCertificateFile /path/to/www.yourdomain.cert
 SSLCertificateKeyFile /path/to/www.yourdomain.key

Find SQL queries that use too much CPU

James Dastrup — Wed, 11 Nov 2009 22:32:11 +0000

SELECT total_worker_time/execution_count AS AvgCPU
, total_worker_time AS TotalCPU
, total_elapsed_time/execution_count AS AvgDuration
, total_elapsed_time AS TotalDuration
, (total_logical_reads+total_physical_reads)/execution_count AS AvgReads
, (total_logical_reads+total_physical_reads) AS TotalReads
, execution_count
, SUBSTRING(st.TEXT, (qs.statement_start_offset/2)+1
, ((CASE qs.statement_end_offset  WHEN -1 THEN datalength(st.TEXT)
ELSE qs.statement_end_offset
END - qs.statement_start_offset)/2) + 1) AS txt
, query_plan
FROM sys.dm_exec_query_stats AS qs
cross apply sys.dm_exec_sql_text(qs.sql_handle) AS st
cross apply sys.dm_exec_query_plan (qs.plan_handle) AS qp
ORDER BY 1 DESC

Take note of the AvgCPU value. Fix the query, clear the query cache with:

DBCC FREEPROCCACHE

run the query again a few times, and run the above query again. Compare the numbers.

Mixing 64 and 32 bit applications pools on OWA website

James Dastrup — Sat, 23 May 2009 22:09:47 +0000

If you need to create and run a 32-bit application pool on the same website you are running Exchange OWA, usually the Default Web Site, you need to make a couple changes. For example, you want to run an old ASP component that only runs in 32 bit mode.

Register the DLL - copy it to \Windows\SysWOW64 and run regsvr32 your.dll
Create a 32 bit application pool in IIS 7 - On the advanced settings, set Enable 32-bit applications = True
Create a subfolder and assign your 32-bit app pool to it.

Modify \Windows\system32\inetsrv\config\applicationhost.config:


        
            isapiFilters>

Notice the added preCondition=”bitness64″. This tells those filters to only run on 64 bit app pools.

How to Thin Provision on VMware ESXi 3.5 Free version

James Dastrup — Thu, 30 Apr 2009 02:31:27 +0000

VMware does not offer a supported method to create a thin disk on the free version of ESXi 3.5. Thin = only allocate space as the guest OS demands. The GUI, Virtual Infrastructure Client, only creates zeroedthick disks (pre-allocated and zeroed on demand), therefore using up much more space than required. The command-line tools, RCLI, either on Windows or in VIMA, are read-only, therefore don’t work for anything useful. If you try, you get an error fault.RestrictedVersion.summary; in other words - you’re not allowed to do that. But there is a way:

On the console (the yellow server console), press ALT-F1.
Type the command unsupported (you won’t see your typing) and you’ll get a password prompt.
Enter your root password, and then you should get a busybox prompt.
Use the vmkfstools to create your disk, like this:

vmkfstools -c 10G -d thin -a lsilogic /vmfs/volumes/[Your_Datastore]/[YourGuestOS]/ThinDisk1.vmdk

If you ls -lh the directory, it will show the full size, but if you df -h you’ll see that very little space was actually used.

While you’re on the hidden console, might as well enable ssh access, too:

vi /etc/inetd.conf and uncomment the ssh line. Look up the Process ID, ps | grep inetd, and restart it with kill -HUP [pid]

Yeah, pretty cool.

Partition alignment

James Dastrup — Wed, 11 Mar 2009 19:19:53 +0000

Windows:

strComputer = "."
Set wmi= GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set col = wmi.ExecQuery("SELECT * FROM Win32_DiskPartition",,48) 

For Each item in col
	Wscript.Echo "Disk: " & item.DiskIndex & "  Partition: " & item.Index & "  StartingOffset: " & item.StartingOffset/1024 & "KB"     

Next

Set partition alignment on a new partition, required on <= Win2003

c:\>diskpart.exe
DISKPART>list disk
DISKPART>select disk x
DISKPART>create partition primary align=64
DISKPART>exit

CentOS 5.2 and Winbind

James Dastrup — Sat, 07 Feb 2009 22:55:35 +0000

Built a Linux Samba server for a file server this week. It’s in a satellite office connected via OpenVPN to the main office, which hosts Active Directory. Samba is running winbind, which allows transparent access to resources and minimal management on the server. I learned that winbind’s offline logons work for local or ssh logon to the server if Active Directory is unavailable, but it does not allow offline access to the server via network shares; the VPN and Active Directory must be up to initially log on and get drives mapped. Outages during the day do not impact file or printer access. This could be disastrous in certain situations, but considering the bulk of the work this office does is via E-mail or Citrix, an Internet outage means they don’t get any work done anyway.

This setup is very similar to plain ads security mode as described in my earlier post, Configure Samba with Domain Security Mode, but, while a little more complicated to set up, has more features, such as local logon privileges for AD users.

Had a heck of a time getting winbind working on CentOS 5.2. Most everything worked, joined to the domain, wbinfo -u returned users, but getent wasn’t working. `getent passwd` only returned local users. `getent group` returned local groups and only two domain groups, preceded by BUILTIN. Finally figured out I had this in my smb.conf:

winbind trusted domains only = yes

when it should be this:

winbind trusted domains only = no

Just in case it helps anyone else, here’s relevant portions from my config files:

#/etc/samba/smb.conf

[global]

   workgroup = DOMAIN
   password server = myadserver.domain.com
   realm = DOMAIN.COM
   security = ads
   idmap uid = 10000-20000
   idmap gid = 50000-60000
   winbind separator = +
   template homedir = /home/%U
   template shell = /bin/bash
   printing = cups
   printcap name = cups
   load printers = yes
   encrypt passwords = yes
   passdb backend = tdbsam
   server string = MY-SERVER
   os level = 20
   client use spnego = yes
   winbind offline logon = yes
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind trusted domains only = no

#/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
DOMAIN.COM = {
   default_domain = domain.com
  kdc = 192.168.0.5:88
  kdc = 192.168.0.5
  kdc = myadserver.domain.com
  admin_server = 192.168.0.5:749
  default_domain = domain.com
}

[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

#/etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_krb5.so

#/etc/nsswitch.conf


passwd:  files winbind
shadow:  files winbind
group:    files winbind

#/etc/security/pam_winbind.conf

[global]

;debug = yes
cached_login = yes
;krb5_auth = yes
;krb5_ccache_type = FILE
;require_membership_of =

In order to get shared documents on the server to act more Windows-like, I had to change the default umask and use ACL’s instead of default file security:

#/etc/bashrc


if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
else
        umask 002
fi

#/etc/samba/smb.conf

#========= Share Definitions ========
[Share]
  create mask = 0770
  force create mode = 0770
  force directory mode = 0770
  force group = DOMAIN+Group_Name

Use chown and chmod to set your domain groups as owners of your shared directories. Should look something like this:

# ls -l
drwxrwx--- 2 root DOMAIN+domain users 4096 Feb  6 15:13 Docs

Then for ACL’s, use setfacl:

# setfacl -d -R -m u::rwx,g::rwx,m::rwx Docs

Use getfacl to confirm. When you ls a directory after that, you’ll see a + sign next to the normal permissions

# ls -l
drwxrwx---+ 2 root DOMAIN+domain users 4096 Feb  6 15:13 Docs

Windows 2008 NLB, dual-nics and routing

James Dastrup — Fri, 30 Jan 2009 20:42:33 +0000

I set up NLB in unicast mode on a couple Windows 2008 servers using dual-nics. Everything worked fine, except hosts outside the subnet could not access the cluster IP. The same setup works with Windows 2003. This is only a problem because I prefer to disable all services on the clustered NICs except IP, since I’m only load-balancing a few IP services and I want internal communication to use the primary NICs. Here’s my setup:

Server 1
-------------------------
NIC1 (Public)
IP 192.168.1.10
Gateway 192.168.1.1

NIC2 (NLB)
IP 192.168.1.11
No Gateway, File & Print, MS Client or DNS Registration

Server 2
-------------------------
NIC1 (Public)
IP 192.168.1.12
Gateway 192.168.1.1

NIC2 (NLB)
IP 192.168.1.13
No Gateway, File & Print, MS Client or DNS Registration

Cluster
-------------------------
IP 192.168.1.14

For 2008, it can be fixed with the netsh command. To get it working:

C:\>netsh interface show int

Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        NLB
Enabled        Connected      Dedicated        Public

Note the name of the NIC used for the cluster. My case, NLB. Then run:

C:\>netsh interface ipv4 set interface "NLB" forwarding=enabled

Ok.

Also have to make some routing changes, since the NLB NIC’s don’t have a default gateway, and adding one can cause confusion to the OS. I want all remote traffic to source from the NLB NIC’s, so I figure out the interface number with:

C:\route print
==============================================
Interface List
 [XX] ..[NLB MAC ADDRESS]... [NLB NIC Model]
==============================================

and add a persistent default route on both nodes with this:

C:\route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 if [XX] -p

Goodbye, Vista

James Dastrup — Wed, 21 Jan 2009 23:50:12 +0000

I tried. For over 2 years now I’ve tried to use Vista. I believed early on that it would improve, someday it will be standard on every computer, eventually you won’t be able to buy XP anymore, etc. I believed that I needed to use it in order to better support my customers with it. I believed lots of things, but I don’t believe anymore.

86 hours. That’s the time I have waited the last two years. Over two work-weeks of waiting. Several thousand dollars of waiting. Waiting for what? Waiting for my computer to resume from hibernation or cold boot. It takes about 10 minutes before my computer is usable. I have a modern laptop, T9300 proc, SATA2 HDD, 4 GB RAM, etc. Previously, I had another modern laptop, T7xxx proc, 4 GB RAM, etc. The hard drive light just won’t stop blinking for ten minutes, the stupid green circular icon keeps spinning. I can’t use standby overnight or else my battery is often near dead, if it even stays in standby that long, and sometimes I need my battery first thing in the AM.

Most computers still come with XP pre-installed. Some computers, specifically certain HP or Dell configurations, only come with XP installed. Most of my clients still use XP. Why? Because Vista offers nothing for businesses. What can businesses do now that they couldn’t do with XP? Nothing.

Now I have to wait for Windows 7 to save me, somehow recoup the 86 hours of time lost, but I’m not holding my breath. When I read an article that lists as one of its new great features: “maximized windows now feature transparent borders” as a new operating system highlight, I don’t really have much hope. Is Microsoft really going to rewrite their OS to remove the bulk that Vista added, or just hope that hardware is faster by the time it is released and therefore the time wasted will be reduced?

In a few short hours I will have upgraded to a previous, more reliable, and faster, operating system.

ATI fglrx proprietary driver problems

James Dastrup — Fri, 14 Nov 2008 19:43:03 +0000

I know many hate ATI+Linux, but I’m not a gamer and usually run linux by command line only. I have a ATI 9600 Pro AGP video card that I’ve been using in one of my MythTV frontend’s for years. In order to play high definition resolutions (720p 1080i) I need to use ATI’s proprietary linux driver, fglrx. And it works well for that, as well as my nVidia card in my other frontends. I end up rebuilding my frontends maybe every 9-12 months, just for fun. That’s where nVidia outperforms ATI. The ATI driver can be much more difficult to get running properly, partly because they change it so drastically, at least it’s different every time I rebuild a frontend.
The latest problem is the driver and assocated configuration tool, aticonfig. fglrx now basically ignores any options in xorg.conf except for the options available by the aticonfig tool. For example, it reads EDID information from your display and will only output a mode that your display allows. Sounds great, right? Sure, assuming fglrx is reading EDID properly, or if at all. If it can’t read EDID, the max resolution is 1024×768. You can’t tell it to ignore EDID and specify a modeline instead. This happened to me. I tried every possible combination of settings in xorg.conf, reinstalled the driver, from RPM and the installer from ATI’s website. But EDID came up as invalid according to /var/log/Xorg.0.log.
Finally figured out there is a file that the driver uses that can become incorrect or corrupt. I deleted this file:

# rm /etc/ati/amdpcsdb

and everything started working great. X came up at 1080p and MythTV works great, although openGL menu transitions are a little slow with my card, so I turned that off. Apparently its possible to modify settings in that file, which overrides anything in xorg.conf.