Dynamic Allocation with Dataset Pipes.

[dovetail]

1) To verify that your script works, try debugging it from a user logged in to a USS shell:

Code: Select all

cd /usr/lpp/coz/bin
export SFTP_SERVER_OPTIONS="-e -l debug3"
export SFTP_LOGFILE="/dev/fd2"
./dovetail-secure-sh -c /usr/lpp/coz/bin/sftp-server.sh
Co:Z sftp-server version: 1.7.0 (5.0p1) 2010-06-07
Copyright (C) Dovetailed Technologies, LLC. 2008. All rights reserved.
[50.601] session opened for local user KIRK from [9.77.141.246]

(you will have to Cntrl-C break this)

And then verify that you get tossed out with:

Code: Select all

cd /usr/lpp/coz/bin
./dovetail-secure-sh -c /bin/sh
Only sftp and dataset pipes file transfers are allowed from this account

2) Just to make sure that something else isn't wrong with your test userid, verify that it can log into a z/OS Unix shell via ssh if you change the default program to "/bin/sh".

Hope this helps,

[ROB124]

I get the follow error....

$ cd /usr/lpp/coz/bin
$ export SFTP_SERFVER_OPTIONS="-e -l debug3"
$ export SFTP_LOGFILE="/var/log"
$ ./dovetail-secure-sh -c /usr/lpp/coz/bin/sftp-server.sh
█: ./dovetail-secure-sh 7: FSUM7351 not found
Only sftp and dataset pipes file transfers are allowed from this account.
$

[dovetail]

There seems to be some garbage in the shell script you created.
I pasted your script (from your post above) and it works fine for me, so perhaps the file itself has something non-displayable.

The line:

Code: Select all

█: ./dovetail-secure-sh 7: FSUM7351 not found

Says that a command named "█" wasn't found on line 7. This is odd, since in what you posted line 7 is a comment.

[ROB124]

I put the following lines the script to help diagnose the fault.
#!/bin/sh
# A shell script which can be set as a users default shell
# to only allow certain commands or ssh subsystems to run,
# disallowing full shell logins.
echo "STARTING SECURE SHELL" <<<<<<THESE 2 LINES
set -xv
if [ $# -ge 2 -a "$1" = "-c" ]; then
case $2 in
# Update this list to match what you have in /etc/ssh/sshd_config
# or add any other commands that you would like to allow
# from ssh.
/usr/lpp/coz/bin/sftp-server.sh) exec $2;;
/usr/lpp/coz/bin/cozserver) exec $2;;
*);;
esac
fi
# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed \
from this account."
exit 1

and the result is
$ su
# cd /usr/lpp/coz/bin
# export SFTP_SERVER_OPTIONS="-e -l debug3"
# export SFTP_LOGFILE="/dev/fd2"
# ./dovetail-secure-sh -c /usr/lpp/coz/bin/sftp-server.sh
STARTING SECURE SHELL
if █ $# -ge 2 -a "$1" = "-c" ¿; then
case $2 in
# Update this list to match what you have in /etc/ssh/sshd_config
# or add any other commands that you would like to allow
# from ssh.
/usr/lpp/coz/bin/sftp-server.sh) exec $2;;
/usr/lpp/coz/bin/cozserver) exec $2;;
*);;
esac
fi
+ █ 2 -ge 2 -a -c = -c ¿
█: ./dovetail-secure-sh 7: FSUM7351 not found
# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed \
from this account."
+ echo Only sftp and dataset pipes file transfers are allowed from this account
Only sftp and dataset pipes file transfers are allowed from this account.
exit 1
+ exit 1
#

[ROB124]

I have now got it working.....

I ended up needing to create the script on my PC and FTP up to the mainframe.
However the script does not seem to be able to lock the user to their home directory.

[dovetail]

Was the problem the encoding of the script file? I was going to suggest that perhaps your z/OS Unix encoding didn't match your terminal emulator encoding, so that "[" characters weren't actually what they appeared to be.

This "restricted shell" script isn't designed to restrict users to certain directories while in sftp (only lock them down to using sftp and not a shell). Your security package or users exits would be required to do that.