Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sorry to say I'm a bit of a noob (but we all gotta start somewhere I guess) - I'm trying to setup a jail for my SSH users on my debain etch server.
I've tried using the libpam-chroot it has a quite simple README file - I think I have followed it to a T but clearly there something gone wrong.
I checked the auth.log :
Aug 3 19:25:46 localhost sshd[19404]: (pam_unix) session opened for user bob by (uid=0)
Aug 3 19:25:46 localhost PAM-env[19404]: Unable to open config file: No such file or directory
I think it something to do with point 1 the
chrooted-directory-tree.txt file - I haven't put it anywhere the where the ssh can see it when the user logs in. The readme doesn't suggest anywhere.
Any help would greatly be appreciated - I can't see anything relevant in the syslog (or at least anything with PAM or bob the user on it).
Thanks
Dan
======= The README that I followed =======================
This is a sample configuration for the pam_chroot module.
In order to make this work you need to:
1.- use setup-chrootdir.sh to create a directory in which
the user will be chrooted (let's call it CHROOTDIR)
A sample layout like the one it creates is provided in the
chrooted-directory-tree.txt file
WARNING! Make sure to have an open console in which to
become superuser in case you mangle the files and cannot
log-on to the system later on!
2.- configure /etc/security/chroot.conf so that a given user
(USERCHROOTED) is chrooted to CHROOTDIR when entering (in the
sample configuration file CHROOTDIR=/chroot/directory)
3.- add the following line to /etc/pam.d/login
session required pam_chroot.so debug
4.- create USERCHROOTED in the system (/etc/passwd et al.) and
have his home directory be /home/test
(real directory=CHROOTDIR/home/test)
5.- add the neccesary .profile, .cshrc, .bash_profile files to
the CHROOTDIR/home/test directory (fix permissions to your own
needs/policy)
6.- Try to enter the system as USERCHROOTED. You should be
restricted to CHROOTDIR and have only a limited number of
utilies (setup-chrootdir only provides 'ls')
If it does not work check the syslog files to see the messages
related to PAM (should include pam_chroot[XXXX]: session messages
due to the 'debug' option being set)
Are you sure you want to use pam_chroot for that? Chroot functionality was recently added to OpenSSH itself. If you want to proceed, which version of pam_chroot are you using and did you read the troubleshooting doc (syslog socket)? Which PAM configs did you add pam_chroot to? What does it or what do they look like?
Are you sure you want to use pam_chroot for that? Chroot functionality was recently added to OpenSSH itself. If you want to proceed, which version of pam_chroot are you using and did you read the troubleshooting doc (syslog socket)? Which PAM configs did you add pam_chroot to? What does it or what do they look like?
To be honest I just want the jail facility if this is in OpenSSH itself then I would be more than happy to use that. Are there any good HOWTOs you can suggest?
If you look in the openssh-5.1p1 package (or earlier, it was added to 4.8 I think) at the manual pages for sshd_config you'll see some references:
Quote:
Originally Posted by man ./sshd_config.5
ChrootDirectory
Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. The path may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal ’%’, %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.
The ChrootDirectory must contain the necessary files and directories to support the users’ session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using “sftp”, no additional configuration of the environment is necessary if the in-process sftp server is used (see Subsystem for details).
On the other hand, if you want to proceed with pam_chroot, which version are you using and did you read the troubleshooting doc (syslog socket)? Which PAM configs did you add pam_chroot to? What does it or what do they look like?
And I think it's suppose to output to the syslog under /var/log which looks like
Aug 4 15:31:20 localhost afpd[3270]: uam: loading (/usr/lib/netatalk/uams_dhx.so)
Aug 4 15:31:20 localhost afpd[3270]: uam: uam not found (status=-1)
Aug 4 15:31:20 localhost afpd[3270]: uam: loading (/usr/lib/netatalk/uams_clrtxt.so)
Aug 4 15:31:20 localhost afpd[3270]: uam: uams_clrtxt.so loaded
Aug 4 15:31:20 localhost afpd[3270]: uam: loading (/usr/lib/netatalk/uams_randnum.so)
Aug 4 15:31:20 localhost afpd[3270]: uam: uam not found (status=-1)
Aug 4 15:31:20 localhost afpd[3270]: uam: "Cleartxt Passwrd" available
Aug 4 15:33:01 localhost /USR/SBIN/CRON[3577]: (nobody) CMD ([ -x /usr/share/sa-exim/greylistclean ] && /usr/share/sa-exim/greylistclean)
Aug 4 15:33:01 localhost sa-exim[3578]: Removed 0 of 0 greylist tuplets in 0 seconds
Aug 4 15:33:01 localhost sa-exim[3578]: Removed 0 of 0 greylist directories in 0 seconds
Aug 4 15:35:29 localhost dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 8
Aug 4 15:35:37 localhost dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 15
Aug 4 15:35:52 localhost dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 19
Your "localhost PAM-env[19404]: Unable to open config file: No such file or directory" line points to it looking for CHROOTDIR/etc/security/ and CHROOTDIR/etc/environment where your pam_env stuff is. If you don't see any logging inside your chroot, mkdir CHROOTDIR/dev/ and restart Syslogd with "-a CHROOTDIR/dev/log". Wrt PAM and SSH the pam_chroot docs specifically points to "ChallengeResponseAuthentication" and "UsePAM" sshd_config options. Please read that again?
First off I apologise I didn't read through the entire document plus I used the readme which clearly was inadequete in covering all areas of the chroot process.
No need to apologise, after all it's *you* who has been doing all the work :-] To cut out stuff you first want a list of packages: chroot into your chroot, run 'dpkg -l' (or 'dpkg -l | grep ^i' for only installed packages?), output to a file, edit out those you know you need, then post the list of packages you're unsure about. Wrt removal it would also be good to know what you want to do with this chroot (reason).
The aim would be to have a bare basics chroot environment so applications can SSH to the server and tunnel through to the MySQL server. When I did the boot strap it seems to have everything that the main debian server has (folder wise).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.