LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Making openSSH chroot users (https://www.linuxquestions.org/questions/linux-networking-3/making-openssh-chroot-users-46874/)

tunedLow 02-24-2003 03:25 AM

Making openSSH chroot users
 
Hello,

I am experimenting with ssh and am trying to use a patch which will chroot users to a specific directory. I am following this how to: http://chrootssh.sourceforge.net/

I can chroot to the directory I've created to jail users in, and I can ssh locally, but I can't get ssh to jail the user. ***Note that this from my own machine, using $ ssh -l myUser localhost , and have yet to try it from outside.

Question - is logging in on the machine that is serving the ssh connection the reason I can't chroot under ssh?

The user I have created for this has a home directory of /myChrootDir/./home/usersHome. His shell is listed as /bin/bash, and bash is copied to the /myChrootDir/bin. Although it's suggested not to do so here , I at least want it to get it to work once first, then make it work better.

Could it be that the patch isn't patched correctly? I dl'd it, which came as somePatch.diff.txt, removed the txt part, then went to the openssh dir, ran # patch -v0 < /path/to/the/patch/somePatch.diff. Didn't get a response, just a return.

Made sure to stop and restart sshd.

Even tried installing his patched ssh, to no avail.

Any suggestions would be appreciated, this is all new stuff for me. Sketched on the whole idea and want to be careful.

Thanks.

unSpawn 02-24-2003 04:25 AM

First of all, you don't get any error messages? Also not in the ssh log?

I can chroot to the directory I've created to jail users in
You mean you populated the chroot with the necessary binaries/libs/config files?

Question - is logging in on the machine that is serving the ssh connection the reason I can't chroot under ssh?
AFAIK, no. It should work for logging in locally and remotely.

The "no shell" option is for users that only need to ftp. If your user needs only scp/sftp there's a special shell for that.

patch -v0 < /path/to/the/patch/somePatch.diff. Didn't get a response, just a return.
One way to see what "patch" is doing is to add opt "--dry-run" and it'll show you. More important, what I'm missing here is you telling us you compiled the new OpenSSH source and installed the new binaries...

Even tried installing his patched ssh, to no avail.
Explain what/where it failed? If you want to see what "make install" does, run it as "make -n install > installer.log", then "less installer.log". This won't actually install, just go tru the motions.
Now run "make install 2> installed.log", and view it. It will put all error messages in installed.log.

*btw, in the d/l dir there's an already patched source for OpenSSH-3.5p1 (session.c checks out with the provided patch), maybe try that one.

tunedLow 02-25-2003 01:49 AM

Thanks for the reply -

I've made some progress. I got the patch to work. I can ssh as a regular user (that is, a user without the /./ in his $HOME path). I can chroot to the directory. However, now I can't login with the user I created who needs to be chrooted (his home has /./ in the path).

Let me try to answer your questions:


You mean you populated the chroot with the necessary binaries/libs/config files?
Yes. And in doing so, I simply copied bash from /bin/bash to the bin directory of the chrooted directory - as in /chrootedDir/bin/bash, and then put the necessary libraries for bash in the chroot dir as well.

When I created the user, I did so like this:
#useradd -d /chrootedDir/./home/userName -s /bin/bash


More important, what I'm missing here is you telling us you compiled the new OpenSSH source and installed the new binaries...
Yes, did that. Got the source from openssh, removed the old ssh, sshd, the /usr/local/etc/ssh*.



First of all, you don't get any error messages? Also not in the ssh log?
Sorry, here's the verbose output:

[ rob /etc]$ ssh -l jan -v localhost
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/rob/.ssh/identity type -1
debug1: identity file /home/rob/.ssh/id_rsa type -1
debug1: identity file /home/rob/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 122/256
debug1: bits set: 1622/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/rob/.ssh/known_hosts:2
debug1: bits set: 1624/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/rob/.ssh/identity
debug1: try privkey: /home/rob/.ssh/id_rsa
debug1: try privkey: /home/rob/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is password
jan@localhost's password:
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to localhost closed by remote host.
Connection to localhost closed.
debug1: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 5642.3
debug1: Exit status -1


So it looks like it takes the password ok, then when the user gets a shell it fails (i guess).

Any more help would be appreciated. Thanks.

unSpawn 02-25-2003 07:10 AM

// var D /chrootedDir/home/userName

However, now I can't login with the user I created who needs to be chrooted (his home has /./ in the path).
Can you chroot manually, just to see if there ain't no probs reading from $D/{bin,lib,etc}?

then put the necessary libraries for bash in the chroot dir as well
You used "ldd" to catch all libs, right? Did you also put in the Bash resource files in $D/etc(/profile)? And scrubbed versions of passwd, group etc etc? Btw, when I'm making a chrooted jail I use http://www.gsyc.inf.uc3m.es/~assman/jail so I only have to worry about customizing the jail, not handling deps...

Connection to localhost closed by remote host.
Your sshd_config hasn't by any chance got any restrictions on User/Group hasn't it? Same for TCP Wrappers. Anything in the sshd log (check sshd_config for facility)? No PAM restrictions on logins?
If no on all, then maybe you've got to resort to running sshd in debug mode adding "-d -d -d", then connect with ssh in debug mode adding "-v -v -v".

tunedLow 02-25-2003 01:31 PM

Got it! Thanks.

Yes, I had used ldd to get all the libs and was able to chroot to that dir.

I hadn't put $D/etc/passwd in (with only that users line listed), and as soon as I did i could log in as that user and was jailed.

I'm going to do research on my own now about using a more restricive shell (all i want the user to be able to do is dl some mp3s). What was the one you mentioned earlier?

Thanks again.

unSpawn 02-25-2003 04:31 PM

Np. There are sources out there for a sftp-only and a scp-only shell. If you can't locate them I can dump the src somewhere.


All times are GMT -5. The time now is 06:04 PM.