| View previous topic :: View next topic |
| Author |
Message |
Rob101
n00b
Joined: 07 Jun 2006
Posts: 22
|
 Posted: Fri Dec 18, 2009 3:13 am Post subject: [Worked around] sshd chroot jail (gentoo hardened) |
 |
|
All,
I'm having some trouble running sshd in a chroot jail for sftp protectction.
I'm using gentoo hardened, with selinux in permissive mode, sshd version OpenSSH_5.2p1.
I think i'm running into the problem described here: http://archive.netbsd.se/?ml=openssh-unix-dev&a=2008-05&t=7467381, that has presumably been fixed in sshd for some time..
The error message I get in /var/log/auth.log is:
| Code: |
Dec 16 17:50:50 www sshd[2208]: Accepted keyboard-interactive/pam for hjsimpson from 10.0.0.2 port 4937 ssh2
Dec 16 17:50:50 www sshd[2208]: pam_unix(sshd:session): session opened for user hjsimpson by (uid=0)
Dec 16 17:50:50 www sshd[2208]: pam_selinux(sshd:session): pam: default-context=user_u:user_r:user_crontab_t selected-context=user_u:user_r:user_crontab_t success 1
Dec 16 17:50:50 www sshd[2215]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed
Dec 16 17:50:50 www sshd[2208]: pam_unix(sshd:session): session closed for user hjsimpson
|
(specifically, the 'fatal' is where the problem is.)
The sshd config:
| Code: |
Protocol 2
AllowGroups remotelogin
PermitRootLogin no
MaxAuthTries 1
PasswordAuthentication no
UsePAM yes
X11Forwarding yes
TCPKeepAlive yes
Subsystem sftp internal-sftp
Match User hjsimpson
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
|
Advice on bugs.gentoo says use pam_chroot - is'nt that what the ChrootDirectory config parameter does?
https://bugs.gentoo.org/show_bug.cgi?id=26615#c26
Mounting and additional /selinux in /home/selinux is permitted by the kernel, however does not alleviate the problem.
Does anyone have any suggestions?
Further. is Pure-ftpd regarded well as a secure, stable file x-fer server?
happy to include emerge --info if requested.
Cheers, Rob
Last edited by Rob101 on Mon Dec 28, 2009 12:23 am; edited 1 time in total |
|
| Back to top |
|
 |
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Fri Dec 18, 2009 6:55 pm Post subject: |
|
|
I think you may need to change this:
| Code: | | ChrootDirectory /home |
to the users chrooted directory:
| Code: | | ChrootDirectory /home/hjsimpson |
For some reason this is different on my system to the users home directory listed in /etc/passwd... not sure why but I seem to remember there was a reason... I guess you could create a sub directory and point it to that:
| Code: | | ChrootDirectory /home/hjsimpson/chroot |
EDIT: I think I created a 2nd directory so the remote user couldn't change anything in the .ssh directory.
Rich. |
|
| Back to top |
|
|
Rob101
n00b
Joined: 07 Jun 2006
Posts: 22
|
| Posted: Sat Dec 19, 2009 1:44 am Post subject: |
|
|
Richard,
Thankyou for your considered response. I think there is some great wizdom in having a $home/chroot dir.
I'm not sure though, are you running USE=selinux and not seeing the fault described?
If you are, then i've got a bigger problem than i thought?!
Rob |
|
| Back to top |
|
|
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Sat Dec 19, 2009 11:05 am Post subject: |
|
|
Hi Rob,
Nope, sorry I don't run any selinux systems yet.... thought it may be a miss configured server causing problems with the selinux rules.
Rich |
|
| Back to top |
|
|
Rob101
n00b
Joined: 07 Jun 2006
Posts: 22
|
| Posted: Mon Dec 21, 2009 12:41 am Post subject: |
|
|
does anyone else have any ideas?
Can i compile a non-selinux aware sshd on this box and use that?
(not forgetting that i'm running selinux in permissive mode.) |
|
| Back to top |
|
|
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Mon Dec 21, 2009 8:07 am Post subject: |
|
|
why not try rebooting with "selinux=0" on the command line (if you've configued your kernel for that to work).
Perhaps that way, you could test it without selinux?? |
|
| Back to top |
|
|
Rob101
n00b
Joined: 07 Jun 2006
Posts: 22
|
| Posted: Tue Dec 22, 2009 12:08 pm Post subject: |
|
|
i'm sorry for the late response, thankyou, I will try tommrow.
At this time i can't down the server. |
|
| Back to top |
|
|
Rob101
n00b
Joined: 07 Jun 2006
Posts: 22
|
| Posted: Mon Dec 28, 2009 12:27 am Post subject: |
|
|
Richard,
Disabling selinux at boot time by passing the parameter 'selinux=0' to the kenel permits sshd to correctly chroot into the /home directory.
By design, sshd will not permit chrooting into /home/hjsimpson - which is fine by me.
This might imply that it is indeed selinux detection code in opensshd is not operating correctly as the referenced post comments on.
I'll try to write up a bug report soon.
Rob |
|
| Back to top |
|
|
|
Networking & Security
