Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have been trying to set up a chroot jail for some ssh users. I have been using this how-to http://www.howtoforge.org/chrooted-s...l-debian-lenny
I tried an earlier one from the same author and didn't have success either.
I am at this point.
I am able to login as the "testuser" provided that I change the sshd_config and comment out the settings for "testuser".
Sep 29 18:07:56 Kingbee sshd[25831]: Connection from 127.0.1.1 port 33898
Sep 29 18:07:56 Kingbee sshd[25831]: Failed none for testuser from 127.0.1.1 port 33898 ssh2
Sep 29 18:08:01 Kingbee sshd[25831]: Accepted password for testuser from 127.0.1.1 port 33898 ssh2
Sep 29 18:08:01 Kingbee sshd[25831]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Sep 29 18:08:01 Kingbee sshd[25839]: Changed root directory to "/home"
Sep 29 18:08:01 Kingbee sshd[25831]: User child is on pid 25839
Sep 29 18:08:01 Kingbee sshd[25831]: pam_unix(sshd:session): session closed for user testuser
So far nothing I have tried has helped.
There were 2 entries in /home/etc/passwd & shadow in the jail for "testuser". The first one I think was a left over from the first attempt, so I deleted them. That didn't change things.
The /etc/passwd only contain one line for "testuser" and it looks like this
If you cannot log in (for example on Debian Sarge) and see a warning like "su: Module is unknown" then comment out the following line from $JAIL/etc/pam.d/su:
#session required pam_limits.so
After that logging in will work, although I can't explain why the module in $JAIL/lib/security/ is not found and used.
But I don't have /home/jail/etc/pam.d/su I have the folder but not the file. But my error says nothing about a module. I do have /home/etc/pam.d/su and the above is commented out.
I am able to manually enter the jail as root.
Thanks for any advice you can give me.
Last edited by rbees; 10-02-2009 at 04:41 PM.
Reason: SOLVED
Peterius, thanks /bin/bash inside the jail -rwxr-xr-x (0755) the same as outside. Both are owned by root/root.
I prefer to be polite instead of rude. I am sure the men and women the come hear would prefer to be treated with respect than like non-entities. Lack of respect is what got the young man killed by that mob of gang fighters in Chicago the other day. Try some respect smeezekitty you might find that you like it, and people will like you better for it. If you don't know what it is go back to school.
I found it. The script that the how-to uses to set up the jail sets the permissions on most of the files and folders in the jail. After getting them set right I am much closer to getting a successful login.
I am getting a different error now.
Code:
/usr/lib/openssh/sftp-server: error while loading shared libraries: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory
Connection to kingbee closed.
I still may not have the permissions right for that though.
The user not found error was the result of incorrect permissions set up by the script.
I was also having some firewall issues but I think I have them fixed.
But I am still having issues after connecting.
Code:
:~$ ssh testuser@kingbee
Debian GNU/Linux squeeze/sid
testuser@kingbee's password:
ls
cat /home/testuser/.porfile
Connection to kingbee closed.
:~$
As you can see the password seams to be accepted and I get sent to a new line but don't get a prompt I can enter text of some kind or a command but pressing return sends me to the next line. In the above example I entered two commands, neither returning the result they should, pressing return after the second one always kicks me out of the session.
/var/log/auth.log contains
Code:
Oct 2 07:20:38 Kingbee sshd[23101]: Connection from 127.0.1.1 port 55410
Oct 2 07:20:38 Kingbee sshd[23101]: Failed none for testuser from 127.0.1.1 port 55410 ssh2
Oct 2 07:20:43 Kingbee sshd[23101]: Accepted password for testuser from 127.0.1.1 port 55410 ssh2
Oct 2 07:20:43 Kingbee sshd[23101]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Oct 2 07:20:43 Kingbee sshd[23101]: User child is on pid 23111
Oct 2 07:20:43 Kingbee sshd[23111]: Changed root directory to "/home"
Oct 2 07:22:25 Kingbee sshd[23101]: pam_unix(sshd:session): session closed for user testuser
So far I have not found anything else in the logs.
I get the same results if I make the attempt for a different machine on my network.
Is there a way to run strace on the login? I have used it once before but that was under direct guidance and the man page dosen't help me understad how to do it.
:~$ ssh -vv testuser@kingbee
OpenSSH_5.1p1 Debian-7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to kingbee [127.0.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/kingbee/.ssh/identity type -1
debug1: identity file /home/kingbee/.ssh/id_rsa type -1
debug1: identity file /home/kingbee/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-7
debug1: match: OpenSSH_5.1p1 Debian-7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-7
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 145/256
debug2: bits set: 554/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'kingbee' is known and matches the RSA host key.
debug1: Found key in /home/kingbee/.ssh/known_hosts:15
debug2: bits set: 527/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/kingbee/.ssh/identity ((nil))
debug2: key: /home/kingbee/.ssh/id_rsa ((nil))
debug2: key: /home/kingbee/.ssh/id_dsa ((nil))
Debian GNU/Linux squeeze/sid
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/kingbee/.ssh/identity
debug1: Trying private key: /home/kingbee/.ssh/id_rsa
debug1: Trying private key: /home/kingbee/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
testuser@kingbee's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_confirm: type 99 id 0
debug2: shell request accepted on channel 0
ls #entered command
cat .profile #entered command
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Connection to kingbee closed.
Transferred: sent 2272, received 2600 bytes, in 117.5 seconds
Bytes per second: sent 19.3, received 22.1
debug1: Exit status 11
Also "testuser"'s .bash_history has some entries in it. Some of them mayare from loging in befor the jail was somewhat working. The cat command from above does not show up there.
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
Port 13579
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
#X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
GatewayPorts no
AllowTcpForwarding yes
KeepAlive yes
AllowUsers kingbee testuser
Match User testuser
ChrootDirectory /home
# AllowTcpFowarding no #not allowed in Match block
# X11Fowarding no #not allowed in Match block
ForceCommand /usr/lib/openssh/sftp-server
Match Group sshUsers
ChrootDirectory /home
# AllowTcpFowarding no #not allowed in Match block
# X11Fowarding no #not allowed in Match block
ForceCommand /usr/lib/openssh/sftp-server
Well I can login now. Thanks to some advice from Grand Traverse Linux Users Group.
They pointed out that I still had the ForceCommand /usr/lib/openssh/sftp-server still enabled as the how-to instructs. For some reason it will not work that way. I disabled it and now I can login.
There is still a problem however ;( As testuser I am able to cd into other users directories. I am however confined to /home
I chmod 750 the other users then testuser is unable to cd into their dir. As I have heard others say I am not so impressed with testuser being able to see the other user accounts but at this point I have other more important things to worry about.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
I can enter text of some kind or a command but pressing return sends me to the next line. In the above example I entered two commands, neither returning the result they should, pressing return after the second one always kicks me out of the session.
