LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-24-2003, 04:25 AM   #1
tunedLow
Member
 
Registered: Sep 2001
Location: Salt Lake City
Distribution: Slackware 8.1
Posts: 133

Rep: Reputation: 15
Making openSSH chroot users


Hello,

I am experimenting with ssh and am trying to use a patch which will chroot users to a specific directory. I am following this how to: http://chrootssh.sourceforge.net/

I can chroot to the directory I've created to jail users in, and I can ssh locally, but I can't get ssh to jail the user. ***Note that this from my own machine, using $ ssh -l myUser localhost , and have yet to try it from outside.

Question - is logging in on the machine that is serving the ssh connection the reason I can't chroot under ssh?

The user I have created for this has a home directory of /myChrootDir/./home/usersHome. His shell is listed as /bin/bash, and bash is copied to the /myChrootDir/bin. Although it's suggested not to do so here , I at least want it to get it to work once first, then make it work better.

Could it be that the patch isn't patched correctly? I dl'd it, which came as somePatch.diff.txt, removed the txt part, then went to the openssh dir, ran # patch -v0 < /path/to/the/patch/somePatch.diff. Didn't get a response, just a return.

Made sure to stop and restart sshd.

Even tried installing his patched ssh, to no avail.

Any suggestions would be appreciated, this is all new stuff for me. Sketched on the whole idea and want to be careful.

Thanks.
 
Old 02-24-2003, 05:25 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
First of all, you don't get any error messages? Also not in the ssh log?

I can chroot to the directory I've created to jail users in
You mean you populated the chroot with the necessary binaries/libs/config files?

Question - is logging in on the machine that is serving the ssh connection the reason I can't chroot under ssh?
AFAIK, no. It should work for logging in locally and remotely.

The "no shell" option is for users that only need to ftp. If your user needs only scp/sftp there's a special shell for that.

patch -v0 < /path/to/the/patch/somePatch.diff. Didn't get a response, just a return.
One way to see what "patch" is doing is to add opt "--dry-run" and it'll show you. More important, what I'm missing here is you telling us you compiled the new OpenSSH source and installed the new binaries...

Even tried installing his patched ssh, to no avail.
Explain what/where it failed? If you want to see what "make install" does, run it as "make -n install > installer.log", then "less installer.log". This won't actually install, just go tru the motions.
Now run "make install 2> installed.log", and view it. It will put all error messages in installed.log.

*btw, in the d/l dir there's an already patched source for OpenSSH-3.5p1 (session.c checks out with the provided patch), maybe try that one.
 
Old 02-25-2003, 02:49 AM   #3
tunedLow
Member
 
Registered: Sep 2001
Location: Salt Lake City
Distribution: Slackware 8.1
Posts: 133

Original Poster
Rep: Reputation: 15
Thanks for the reply -

I've made some progress. I got the patch to work. I can ssh as a regular user (that is, a user without the /./ in his $HOME path). I can chroot to the directory. However, now I can't login with the user I created who needs to be chrooted (his home has /./ in the path).

Let me try to answer your questions:


You mean you populated the chroot with the necessary binaries/libs/config files?
Yes. And in doing so, I simply copied bash from /bin/bash to the bin directory of the chrooted directory - as in /chrootedDir/bin/bash, and then put the necessary libraries for bash in the chroot dir as well.

When I created the user, I did so like this:
#useradd -d /chrootedDir/./home/userName -s /bin/bash


More important, what I'm missing here is you telling us you compiled the new OpenSSH source and installed the new binaries...
Yes, did that. Got the source from openssh, removed the old ssh, sshd, the /usr/local/etc/ssh*.



First of all, you don't get any error messages? Also not in the ssh log?
Sorry, here's the verbose output:

[ rob /etc]$ ssh -l jan -v localhost
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/rob/.ssh/identity type -1
debug1: identity file /home/rob/.ssh/id_rsa type -1
debug1: identity file /home/rob/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 122/256
debug1: bits set: 1622/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/rob/.ssh/known_hosts:2
debug1: bits set: 1624/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/rob/.ssh/identity
debug1: try privkey: /home/rob/.ssh/id_rsa
debug1: try privkey: /home/rob/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is password
jan@localhost's password:
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to localhost closed by remote host.
Connection to localhost closed.
debug1: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 5642.3
debug1: Exit status -1


So it looks like it takes the password ok, then when the user gets a shell it fails (i guess).

Any more help would be appreciated. Thanks.
 
Old 02-25-2003, 08:10 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
// var D /chrootedDir/home/userName

However, now I can't login with the user I created who needs to be chrooted (his home has /./ in the path).
Can you chroot manually, just to see if there ain't no probs reading from $D/{bin,lib,etc}?

then put the necessary libraries for bash in the chroot dir as well
You used "ldd" to catch all libs, right? Did you also put in the Bash resource files in $D/etc(/profile)? And scrubbed versions of passwd, group etc etc? Btw, when I'm making a chrooted jail I use http://www.gsyc.inf.uc3m.es/~assman/jail so I only have to worry about customizing the jail, not handling deps...

Connection to localhost closed by remote host.
Your sshd_config hasn't by any chance got any restrictions on User/Group hasn't it? Same for TCP Wrappers. Anything in the sshd log (check sshd_config for facility)? No PAM restrictions on logins?
If no on all, then maybe you've got to resort to running sshd in debug mode adding "-d -d -d", then connect with ssh in debug mode adding "-v -v -v".
 
Old 02-25-2003, 02:31 PM   #5
tunedLow
Member
 
Registered: Sep 2001
Location: Salt Lake City
Distribution: Slackware 8.1
Posts: 133

Original Poster
Rep: Reputation: 15
Got it! Thanks.

Yes, I had used ldd to get all the libs and was able to chroot to that dir.

I hadn't put $D/etc/passwd in (with only that users line listed), and as soon as I did i could log in as that user and was jailed.

I'm going to do research on my own now about using a more restricive shell (all i want the user to be able to do is dl some mp3s). What was the one you mentioned earlier?

Thanks again.
 
Old 02-25-2003, 05:31 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Np. There are sources out there for a sftp-only and a scp-only shell. If you can't locate them I can dump the src somewhere.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up chroot with existing users qwerty Linux - Security 1 11-03-2005 05:29 PM
chroot or keeping users to /home techrolla Linux - Security 9 06-22-2004 06:18 AM
proftp chroot multiple users waffe Linux - General 2 11-02-2003 12:11 AM
chroot jail sftp users f1uke Linux - Security 1 07-28-2003 11:29 AM
Chroot users thecrab Linux - Security 6 03-03-2002 06:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration