Having some trouble with CHROOT/PAM. I am able to log in to my SuSe box(ssh) and have my authentication handed off to TACACS via PAM and then open a CHROOTed shell, but another user, with identical settings as far as I can tell, cannot. He logs in, the authentication succeeds according to /var/log/messages and the tacacs server but he is not given a shell and the connection immediatly closes.
Here are some config files in case they help
tail of /var/log/messages
Code:
Nov 16 10:17:11 linux sshd[12716]: pam_sm_authenticate: called (pam_tacplus v1.2.9)
Nov 16 10:17:11 linux sshd[12716]: pam_sm_authenticate: user [linc] obtained
Nov 16 10:17:11 linux sshd[12716]: tacacs_get_password: called
Nov 16 10:17:14 linux sshd[12716]: tacacs_get_password: obtained password [p4Ss0R!]
Nov 16 10:17:14 linux sshd[12716]: pam_sm_authenticate: pass [p4Ss0R!] obtained
Nov 16 10:17:14 linux sshd[12716]: pam_sm_authenticate: tty [ssh] obtained
Nov 16 10:17:14 linux sshd[12716]: pam_sm_authenticate: trying srv 0
Nov 16 10:17:14 linux sshd[12716]: pam_sm_authenticate: exit
Nov 16 10:17:14 linux sshd[12714]: Accepted keyboard-interactive/pam for giulinc from ::ffff:10.1.1.2 port 3448 ssh2
/etc/security/chroot.conf
Code:
# /etc/security/chroot.conf
# format:
# username chroot_dir
#foo /home/foo
user1 /home/vnc/./monkeys
linc /home/vnc/./monkeys
# Or, if you've specified use_regex,
# username_regex chroot_dir
#^bar.* /home/bar
home dir:
Code:
linux:/home/vnc/monkeys # pwd; ls -al
/home/vnc/monkeys
total 1
drwxr-xr-x 7 root root 192 2004-08-10 15:41 .
drwxr-xr-x 10 root root 240 2004-08-10 15:41 ..
drwxr-xr-x 2 root root 120 2004-08-10 15:41 bin
drwxr-xr-x 2 root root 96 2004-08-10 15:41 dev
drwxr-xr-x 2 root root 96 2004-08-10 15:41 etc
drwxr-xr-x 3 root root 72 2004-08-10 15:41 home
drwxr-xr-x 3 root root 600 2004-08-10 15:41 lib
lrwxrwxrwx 1 root root 4 2004-08-10 15:41 sh -> bash
linux:/home/vnc/monkeys #
excerpts from /etc/passwd:
Code:
user1:x:1004:100::/:/bin/bash
linc:x:1011:100::/:/bin/bash
not sure what else is relevant.
Thanks in advance for any advice