Home / server / Questions / 1057504
In Process
Peter
Asked: 2021-03-19 07:31:09 +0800 CST

provide reason when shell denies rsync or sftp access, instead of: protocol version mismatch, protocol incompatibility, Received message too long

  • 772

When someone connects to rsync, and it's supposed to stop them, and (wrongly) echos an error message, I have output from rsync like:

protocol version mismatch -- is your shell clean?

or

rsync error: protocol incompatibility (code 2) at compat.c(600) [sender=v3.2.3]

And for sftp, it will instead say things like:

Received message too long 796226418
Ensure the remote shell produces no output for non-interactive sessions.

Unlike every other related question and answer I found, the output is intentional; the rsync and sftp are not supposed to work. I know why the message is there, but I don't want to remove it. I just want it to fit the protocol so the user sees it. How can I deliver a message to the user so they know what to do about it?

So imagine I have a shell that does simply:

#!/bin/bash
#
# just an example denying all... in reality, you allow something

# for testing, send output to this file too
exec &> >(tee "/tmp/shell-test.${USER}.out")

if grep -q "sftp" <<< "$SSH_ORIGINAL_COMMAND" || grep -q "sftp" <<< "$@"; then
    echo "sftp access is denied"
    exit 1
elif grep -q "rsync" <<< "$SSH_ORIGINAL_COMMAND" || grep -q "rsync" <<< "$@"; then
    echo "rsync access is denied"
    exit 1
else
    echo "I'm sorry Dave; I'm afraid I can't do that."
    exit 1
fi

Here are the tests and the output:

root@testserver # echo /usr/local/bin/test-shell >> /etc/shells
root@testserver # useradd -s /usr/local/bin/test-shell testuser
root@testserver # mkdir ~testuser/.ssh
root@testserver # echo "$yourkeyhere" > ~testuser/.ssh/authorized_keys
root@testserver # passwd testuser

you@workstation $ rsync -avP src/ testuser@testserver:bla/
protocol version mismatch -- is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(600) [sender=v3.2.3]

root@testserver # cat /tmp/shell-test.testuser.out
rsync access is denied

you@workstation $ sftp testuser@testserver
Received message too long 796226418
Ensure the remote shell produces no output for non-interactive sessions.

root@testserver # cat /tmp/shell-test.testuser.out
sftp access is denied

you@workstation $ ssh testuser@testserver
PTY allocation request failed on channel 0
I'm sorry Dave, I'm afraid I can't do that.
Connection to testserver closed.

root@testserver # cat /tmp/shell-test.testuser.out
I'm sorry Dave, I'm afraid I can't do that.

So for rsync and sftp, to deliver an error message to the user, what can I do instead of simply echo?

rsync sftp

0 Answers