| View previous topic :: View next topic |
| Author |
Message |
Ph0eniX
Guru
Joined: 24 Sep 2004
Posts: 502
Location: New York, U.S.
|
 Posted: Fri Oct 10, 2008 9:22 pm Post subject: Chrooting SSH |
 |
|
Hi,
I followed this guide:
http://gentoo.linuxhowtos.org/openssh/chrootedssh.htm
...but for some reason when I try to login as a chroot'ed user, I get disconnected immediately. The logs indicate that I'm authenticating ok. Any ideas?
Thank you!  |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23103
|
| Posted: Sat Oct 11, 2008 3:30 am Post subject: |
|
|
| Does the chroot contain all libraries required to run the shell? Use dev-util/strace to monitor the new process to find out what happens after authentication. |
|
| Back to top |
|
|
Ph0eniX
Guru
Joined: 24 Sep 2004
Posts: 502
Location: New York, U.S.
|
| Posted: Sat Oct 11, 2008 4:09 am Post subject: |
|
|
I emerged strace but I'm not sure how to use it.
Thanks! |
|
| Back to top |
|
|
Ph0eniX
Guru
Joined: 24 Sep 2004
Posts: 502
Location: New York, U.S.
|
| Posted: Mon Oct 13, 2008 12:53 pm Post subject: |
|
|
| Ph0eniX wrote: | I emerged strace but I'm not sure how to use it.
Thanks! |
It looks like I was missing some libraries because I was unable to chroot to the jail environment from the main environment.
Now if I do:
| Code: |
chroot /home/chroot /bin/bash
|
...I'm actually getting a bash prompt. SSH still disconnects me though.
I tried adding:
| Code: |
Match user username
ChrootDirectory /home/chroot/home/username
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
|
...to sshd_config (because one of the guides I saw had said to do that) but I'm getting:
| Code: |
/etc/ssh/sshd_config line 127: Directive 'ChrootDirectory' is not allowed within a Match block
|
...when I restart SSH. What am I doing wrong?
Thank you! |
|
| Back to top |
|
|
Ph0eniX
Guru
Joined: 24 Sep 2004
Posts: 502
Location: New York, U.S.
|
| Posted: Tue Oct 14, 2008 1:40 pm Post subject: |
|
|
I found out that OpenSSH 4.9 and higher include chroot without the need for special hacks so I updated to 5.1 and Voila! I just made the following changes to the sshd_config:
| Code: |
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
|
...created a user whose primary group is sftponly and it's actually working!!! |
|
| Back to top |
|
|
myha
Apprentice
Joined: 16 Sep 2005
Posts: 152
Location: Ljubljana, Slovenia
|
| Posted: Tue Nov 04, 2008 7:32 am Post subject: |
|
|
Hi,
I am strugling with this but for some reason it is not working...?
Here is the relevant part of sshd_config:
| Code: |
# override default of no subsystems
# Subsystem sftp internal-sftp
Subsystem sftp /usr/lib/misc/sftp-server
Match User test
# ForceCommand internal-sftp
ChrootDirectory /home/%u
|
| Code: |
server ~ # ls -l /home/
drwxr-xr-x 3 root root 192 Nov 3 10:49 test
|
If the root is the owner of /home/test/ I get the following response:
| Code: | | /bin/bash: No such file or directory |
If the test is the owner of /home/test I get:
| Code: | | sshd[4969]: fatal: bad ownership or modes for chroot directory "/home/test" |
I tried with all combinations of stuff but cannot get it working... If I uncomment the ForceCommand it hangs when I enter password.
Any ideas?
EDIT: And the openssh version&flags:
| Code: | | [ebuild R ] net-misc/openssh-5.1_p1-r1 USE="pam tcpd -X -X509 -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB |
|
|
| Back to top |
|
|
myha
Apprentice
Joined: 16 Sep 2005
Posts: 152
Location: Ljubljana, Slovenia
|
| Posted: Tue Nov 04, 2008 7:39 am Post subject: |
|
|
And here is the debug of the hanged session (which I believe is the closest one):
| Code: |
sshd sshd[5686]: debug1: session_new: session 0
sshd sshd[5686]: User child is on pid 5690
sshd sshd[5690]: debug1: PAM: establishing credentials
sshd sshd[5686]: pam_unix(sshd:session): session opened for user test by (uid=0)
sshd sshd[5686]: debug1: PAM: establishing credentials
sshd sshd[5686]: debug1: monitor_child_preauth: test has been authenticated by privileged process
sshd sshd[5686]: Accepted keyboard-interactive/pam for test from 10.12.136.158 port 55992 ssh2
sshd sshd[5686]: debug1: do_pam_account: called
sshd sshd[5686]: debug1: PAM: num PAM env strings 0
sshd sshd[5689]: debug1: do_pam_account: called
sshd sshd[5686]: Failed publickey for test from 10.12.136.158 port 55992 ssh2
sshd sshd[5686]: debug1: restore_uid: 0/0
sshd sshd[5686]: debug1: trying public key file /home/test/.ssh/authorized_keys2
sshd sshd[5686]: debug1: temporarily_use_uid: 1005/1008 (e=0/0)
sshd sshd[5686]: debug1: restore_uid: 0/0
sshd sshd[5686]: debug1: trying public key file /home/test/.ssh/authorized_keys
sshd sshd[5686]: debug1: temporarily_use_uid: 1005/1008 (e=0/0)
sshd sshd[5686]: debug1: PAM: setting PAM_TTY to "ssh"
sshd sshd[5686]: debug1: PAM: setting PAM_RHOST to "10.12.136.158"
sshd sshd[5686]: debug1: PAM: initializing for "test"
sshd sshd[5686]: debug1: user test matched 'User test' at line 118
sshd sshd[5686]: debug1: Local version string SSH-2.0-OpenSSH_5.1
sshd sshd[5686]: debug1: Enabling compatibility mode for protocol 2.0
sshd sshd[5686]: debug1: match: OpenSSH_5.1 pat OpenSSH*
sshd sshd[5686]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1
sshd sshd[5686]: Connection from 10.12.136.158 port 55992
sshd sshd[5686]: debug1: inetd sockets after dupping: 3, 3
sshd sshd[5674]: debug1: Forked child 5686.
sshd sshd[5686]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
|
|
|
| Back to top |
|
|
|
Networking & Security
