cd /usr/lpp/coz/bin
export SFTP_SERVER_OPTIONS="-e -l debug3"
export SFTP_LOGFILE="/dev/fd2"
./dovetail-secure-sh -c /usr/lpp/coz/bin/sftp-server.sh
Co:Z sftp-server version: 1.7.0 (5.0p1) 2010-06-07
Copyright (C) Dovetailed Technologies, LLC. 2008. All rights reserved.
[50.601] session opened for local user KIRK from [9.77.141.246]
cd /usr/lpp/coz/bin
./dovetail-secure-sh -c /bin/sh
Only sftp and dataset pipes file transfers are allowed from this account
2) Just to make sure that something else isn't wrong with your test userid, verify that it can log into a z/OS Unix shell via ssh if you change the default program to "/bin/sh".
$ cd /usr/lpp/coz/bin
$ export SFTP_SERFVER_OPTIONS="-e -l debug3"
$ export SFTP_LOGFILE="/var/log"
$ ./dovetail-secure-sh -c /usr/lpp/coz/bin/sftp-server.sh
█: ./dovetail-secure-sh 7: FSUM7351 not found
Only sftp and dataset pipes file transfers are allowed from this account.
$
There seems to be some garbage in the shell script you created.
I pasted your script (from your post above) and it works fine for me, so perhaps the file itself has something non-displayable.
I put the following lines the script to help diagnose the fault.
#!/bin/sh
# A shell script which can be set as a users default shell
# to only allow certain commands or ssh subsystems to run,
# disallowing full shell logins.
echo "STARTING SECURE SHELL" <<<<<<THESE 2 LINES
set -xv
if [ $# -ge 2 -a "$1" = "-c" ]; then
case $2 in
# Update this list to match what you have in /etc/ssh/sshd_config
# or add any other commands that you would like to allow
# from ssh.
/usr/lpp/coz/bin/sftp-server.sh) exec $2;;
/usr/lpp/coz/bin/cozserver) exec $2;;
*);;
esac
fi
# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed \
from this account."
exit 1
and the result is
$ su
# cd /usr/lpp/coz/bin
# export SFTP_SERVER_OPTIONS="-e -l debug3"
# export SFTP_LOGFILE="/dev/fd2"
# ./dovetail-secure-sh -c /usr/lpp/coz/bin/sftp-server.sh
STARTING SECURE SHELL
if █ $# -ge 2 -a "$1" = "-c" ¿; then
case $2 in
# Update this list to match what you have in /etc/ssh/sshd_config
# or add any other commands that you would like to allow
# from ssh.
/usr/lpp/coz/bin/sftp-server.sh) exec $2;;
/usr/lpp/coz/bin/cozserver) exec $2;;
*);;
esac
fi
+ █ 2 -ge 2 -a -c = -c ¿
█: ./dovetail-secure-sh 7: FSUM7351 not found
# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed \
from this account."
+ echo Only sftp and dataset pipes file transfers are allowed from this account
Only sftp and dataset pipes file transfers are allowed from this account.
exit 1
+ exit 1
#
I ended up needing to create the script on my PC and FTP up to the mainframe.
However the script does not seem to be able to lock the user to their home directory.
Was the problem the encoding of the script file? I was going to suggest that perhaps your z/OS Unix encoding didn't match your terminal emulator encoding, so that "[" characters weren't actually what they appeared to be.
This "restricted shell" script isn't designed to restrict users to certain directories while in sftp (only lock them down to using sftp and not a shell). Your security package or users exits would be required to do that.