LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-27-2004, 10:27 PM   #1
linux_terror
Member
 
Registered: Aug 2004
Location: Northbrook, Illinois
Distribution: CentOS-5
Posts: 311

Rep: Reputation: 30
Jailed(chrooted) users and ftp


Ok this is kinda of a cross dimensional question so i put it in here to start....

I am getting "login incorrect" for all of my chrooted users on my server via regular ftp....

things I have(that apply to this)...

1.)Redhat 9.0
2.)Fully functional apache webserver with name based virtual hosts.
3.)Fully functional chrooted environment for sftp and ssh.
4.)Proftpd

After setting up the jail sftp and ssh work great...jail works properly.
I have tried both the chrooted setting and the non-chrooted setting for proftpd and on both I get "530 login incorrect" for jailed users. It doesn't really make a whole lot of sense to me. At the same time...non-chrooted users are able to login via all three (ssh,sftp, and ftp). I tried copying /usr/local/sbin/proftpd into the users home directory along with the necessary libraries(this worked for sftp-server), to no avail....kinda stumped now...hope someone can help....thanks all.

linux_terror

--------------------------------------------------------------------------
In the game of life it takes a root prompt to really foul up.
 
Old 08-28-2004, 05:59 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
What HOWTO or tutorial did you use to set up the chroot jail?
Did you complete all steps w/o probs?
Post Proftpd config?
Post (relevant part of) Porftpd error log?
 
Old 08-28-2004, 03:13 PM   #3
linux_terror
Member
 
Registered: Aug 2004
Location: Northbrook, Illinois
Distribution: CentOS-5
Posts: 311

Original Poster
Rep: Reputation: 30
The tutorial I used for the jail is this one....

http://www.tjw.org/chroot-login-HOWTO/

here's my proftpd.conf..

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "xxxxxxxxxxxxxxxx"
ServerType standalone
DefaultServer on

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User nobody
Group ftp

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
<Global>
RootLogin off
DefaultRoot ~
SyslogLevel info
</Global>

and as i said I have tried uncommenting #DefaultRoot ~ and it still won't work.

error_log has this...

Aug 28 15:51:01 xxxxxxxx proftpd[8887]: xxxxxxxxxxxx.net (c-xx-xx-xxx-xxx.xxxxx.xxxx.net[xx.xxx.xx.xxx]) - PAM(xxxxx): Authentication failure.

I can only think that maybe it has something to do with the priveleges.....can't put my finger on it.
Maybe what group or user its running under? dunno, just brainstorming.

Thanks for taking a look at this btw...I'll be here working on it all day if you need more info.

linux_terror

------------------------------------------------------------------------
In the game of life it takes a root prompt to really foul up.
 
Old 08-28-2004, 09:59 PM   #4
linux_terror
Member
 
Registered: Aug 2004
Location: Northbrook, Illinois
Distribution: CentOS-5
Posts: 311

Original Poster
Rep: Reputation: 30
ok.....I got it this far now....

I added /bin/chroot-shell to /etc/shells

the ftp user can now log in but it takes the chrooted users to the /tmp directory. Which is their home dir in /etc/passwd. Hmm.... how to get them into the jail.

linux_terror

------------------------------------------------------------------------
In the game of life it takes a root prompt to really foul up.
 
Old 08-29-2004, 06:56 PM   #5
linux_terror
Member
 
Registered: Aug 2004
Location: Northbrook, Illinois
Distribution: CentOS-5
Posts: 311

Original Poster
Rep: Reputation: 30
got it figured out...

Took out the entry from /etc/shells and enabled users to log in w/out a valid shell in proftpd

then..

changed my home directory path in /etc/passwd from /tmp to /home/username for my hosting clients.

duh!

So now I have a jailed ssh/sftp, AND ftp environment for all my hosting clients.

Guess I'm just putting this post up for completions sake.

Anyway, See y'all later...

linux_terror
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
chrooted users changing their passwords btmiller Linux - Security 2 07-16-2005 01:08 PM
VSFTP Virtual Users chrooted to NTFS Help please murdocthecrackmongre Linux - Software 2 07-05-2005 06:43 PM
cron for chrooted users metobln Linux - Software 4 04-24-2005 05:39 AM
vsftp-local users jailed, but....... michael247 Linux - Software 0 03-22-2004 04:32 PM
Jailed FTP Suse Linux waseem Linux - Software 0 05-22-2003 04:14 AM


All times are GMT -5. The time now is 12:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration