Making openSSH chroot users
Hello,
I am experimenting with ssh and am trying to use a patch which will chroot users to a specific directory. I am following this how to: http://chrootssh.sourceforge.net/ I can chroot to the directory I've created to jail users in, and I can ssh locally, but I can't get ssh to jail the user. ***Note that this from my own machine, using $ ssh -l myUser localhost , and have yet to try it from outside. Question - is logging in on the machine that is serving the ssh connection the reason I can't chroot under ssh? The user I have created for this has a home directory of /myChrootDir/./home/usersHome. His shell is listed as /bin/bash, and bash is copied to the /myChrootDir/bin. Although it's suggested not to do so here , I at least want it to get it to work once first, then make it work better. Could it be that the patch isn't patched correctly? I dl'd it, which came as somePatch.diff.txt, removed the txt part, then went to the openssh dir, ran # patch -v0 < /path/to/the/patch/somePatch.diff. Didn't get a response, just a return. Made sure to stop and restart sshd. Even tried installing his patched ssh, to no avail. Any suggestions would be appreciated, this is all new stuff for me. Sketched on the whole idea and want to be careful. Thanks. |
First of all, you don't get any error messages? Also not in the ssh log?
I can chroot to the directory I've created to jail users in You mean you populated the chroot with the necessary binaries/libs/config files? Question - is logging in on the machine that is serving the ssh connection the reason I can't chroot under ssh? AFAIK, no. It should work for logging in locally and remotely. The "no shell" option is for users that only need to ftp. If your user needs only scp/sftp there's a special shell for that. patch -v0 < /path/to/the/patch/somePatch.diff. Didn't get a response, just a return. One way to see what "patch" is doing is to add opt "--dry-run" and it'll show you. More important, what I'm missing here is you telling us you compiled the new OpenSSH source and installed the new binaries... Even tried installing his patched ssh, to no avail. Explain what/where it failed? If you want to see what "make install" does, run it as "make -n install > installer.log", then "less installer.log". This won't actually install, just go tru the motions. Now run "make install 2> installed.log", and view it. It will put all error messages in installed.log. *btw, in the d/l dir there's an already patched source for OpenSSH-3.5p1 (session.c checks out with the provided patch), maybe try that one. |
Thanks for the reply -
I've made some progress. I got the patch to work. I can ssh as a regular user (that is, a user without the /./ in his $HOME path). I can chroot to the directory. However, now I can't login with the user I created who needs to be chrooted (his home has /./ in the path). Let me try to answer your questions: You mean you populated the chroot with the necessary binaries/libs/config files? Yes. And in doing so, I simply copied bash from /bin/bash to the bin directory of the chrooted directory - as in /chrootedDir/bin/bash, and then put the necessary libraries for bash in the chroot dir as well. When I created the user, I did so like this: #useradd -d /chrootedDir/./home/userName -s /bin/bash More important, what I'm missing here is you telling us you compiled the new OpenSSH source and installed the new binaries... Yes, did that. Got the source from openssh, removed the old ssh, sshd, the /usr/local/etc/ssh*. First of all, you don't get any error messages? Also not in the ssh log? Sorry, here's the verbose output: [ rob /etc]$ ssh -l jan -v localhost OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/rob/.ssh/identity type -1 debug1: identity file /home/rob/.ssh/id_rsa type -1 debug1: identity file /home/rob/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 122/256 debug1: bits set: 1622/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'localhost' is known and matches the RSA host key. debug1: Found key in /home/rob/.ssh/known_hosts:2 debug1: bits set: 1624/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/rob/.ssh/identity debug1: try privkey: /home/rob/.ssh/id_rsa debug1: try privkey: /home/rob/.ssh/id_dsa debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is password jan@localhost's password: debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 32768 debug1: channel_free: channel 0: client-session, nchannels 1 Connection to localhost closed by remote host. Connection to localhost closed. debug1: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 5642.3 debug1: Exit status -1 So it looks like it takes the password ok, then when the user gets a shell it fails (i guess). Any more help would be appreciated. Thanks. |
// var D /chrootedDir/home/userName
However, now I can't login with the user I created who needs to be chrooted (his home has /./ in the path). Can you chroot manually, just to see if there ain't no probs reading from $D/{bin,lib,etc}? then put the necessary libraries for bash in the chroot dir as well You used "ldd" to catch all libs, right? Did you also put in the Bash resource files in $D/etc(/profile)? And scrubbed versions of passwd, group etc etc? Btw, when I'm making a chrooted jail I use http://www.gsyc.inf.uc3m.es/~assman/jail so I only have to worry about customizing the jail, not handling deps... Connection to localhost closed by remote host. Your sshd_config hasn't by any chance got any restrictions on User/Group hasn't it? Same for TCP Wrappers. Anything in the sshd log (check sshd_config for facility)? No PAM restrictions on logins? If no on all, then maybe you've got to resort to running sshd in debug mode adding "-d -d -d", then connect with ssh in debug mode adding "-v -v -v". |
Got it! Thanks.
Yes, I had used ldd to get all the libs and was able to chroot to that dir. I hadn't put $D/etc/passwd in (with only that users line listed), and as soon as I did i could log in as that user and was jailed. I'm going to do research on my own now about using a more restricive shell (all i want the user to be able to do is dl some mp3s). What was the one you mentioned earlier? Thanks again. |
Np. There are sources out there for a sftp-only and a scp-only shell. If you can't locate them I can dump the src somewhere.
|
All times are GMT -5. The time now is 06:04 PM. |