Beside my previous complaint about sshd not starting after upgrade from
FreeBSD 8.3 to 8.4 due to incompatible change in parsing sshd_config
with empty VersionAddendum [1], there is another more serious bug in
newly imported SSH in base (OpenSSH_6.1p1) which I am not able to fix /
workaround.
In short: OpenSSH 6.1 is creating broken symlinks with sftp command on
OpenSSH 5.4 server with chrooted account.
It will always creates symlinks with pseudo absolute path instead of
relative.
SSH server (OpenSSH 5.4 on FreeBSD 8.3) is configured with the following
settings for chrooting:
Match User devel
ChrootDirectory /usr/home
ForceCommand internal-sftp
And again, it was working fine with older version of FreeBSD / OpenSSH
5.4 client (sftp command).
It is working with WinSCP too.
The sftp command used for creating the symlink is:
symlink temp temp_symlink
Expected result shown by ls -l /usr/home/devel on server side is:
temp_symlink -> temp
Broken links by OpenSSH 6.1 client:
temp_symlink -> /devel/temp
So the symlink is not working outside of the sftp chrooted session (for
example, Apache cannot read files from symlinked directory because only
user "devel" is chrooted)
I tried to enable DEBUG logging in sshd_config on the server side with
following results:
Expected behavior with OpenSSH 5.4 as sftp client
subsystem request for sftp
session opened for local user devel from [y.y.y.y]
received client version 3
realpath "."
symlink old "temp" new "/usr/home/devel/temp_symlink"
sent status Success
session closed for local user devel from [y.y.y.y]
Broken behavior with OpenSSH 6.1 as sftp client
subsystem request for sftp
session opened for local user devel from [x.x.x.x]
received client version 3
realpath "."
opendir "/usr/home/devel"
sent status End of file
closedir "/usr/home/devel"
sent status Success
symlink old "/usr/home/devel/temp" new "/usr/home/devel/temp_symlink"
sent status Success
In both cases the sftp command is executed from simplified shellscript
simulating much larger script for our application deployment:
echo "symlink temp temp_symlink
quit
" | sftp devel@x.x.x.x
The above debug output is the same with sftp-server and internal-sftp
(in sshd_config). It does not matter if user account is chrooted or not
- sftp command always creates symlink with an absolute path (with
OpenSSH 6.1).
With OpenSSH 5.4 client, it will create relative path symlinks as expected.
So my questions are:
1) Is there some way to create relative symlinks with OpenSSH 6.1?
2) Was OpenSSH 6.1 tested before importing in to the base of FreeBSD 8.4
release? These two bugs seems serious to me.
3) Is there any chance to fix these bugs in FreeBSD repository, or do we
need to be "bug to bug" compatible with other systems using OpenSSH 6.x?
Miroslav Lachman
[1] sshd didn't run after upgrade to FreeBSD 8.4
http://lists.freebsd.org/pipermail/freebsd-stable/2013-June/073898.html
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
