Sorry to say I'm a bit of a noob (but we all gotta start somewhere I guess) - I'm trying to setup a jail for my SSH users on my debain etch server.

I've tried using the libpam-chroot it has a quite simple README file - I think I have followed it to a T but clearly there something gone wrong.

I checked the auth.log :

Aug 3 19:25:46 localhost sshd[19404]: (pam_unix) session opened for user bob by (uid=0)
Aug 3 19:25:46 localhost PAM-env[19404]: Unable to open config file: No such file or directory

I think it something to do with point 1 the
chrooted-directory-tree.txt file - I haven't put it anywhere the where the ssh can see it when the user logs in. The readme doesn't suggest anywhere.

Any help would greatly be appreciated - I can't see anything relevant in the syslog (or at least anything with PAM or bob the user on it).

Thanks

Dan



======= The README that I followed =======================

This is a sample configuration for the pam_chroot module.

In order to make this work you need to:

1.- use setup-chrootdir.sh to create a directory in which
the user will be chrooted (let's call it CHROOTDIR)
A sample layout like the one it creates is provided in the
chrooted-directory-tree.txt file

WARNING! Make sure to have an open console in which to
become superuser in case you mangle the files and cannot
log-on to the system later on!

2.- configure /etc/security/chroot.conf so that a given user
(USERCHROOTED) is chrooted to CHROOTDIR when entering (in the
sample configuration file CHROOTDIR=/chroot/directory)

3.- add the following line to /etc/pam.d/login
session required pam_chroot.so debug

4.- create USERCHROOTED in the system (/etc/passwd et al.) and
have his home directory be /home/test
(real directory=CHROOTDIR/home/test)

5.- add the neccesary .profile, .cshrc, .bash_profile files to
the CHROOTDIR/home/test directory (fix permissions to your own
needs/policy)

6.- Try to enter the system as USERCHROOTED. You should be
restricted to CHROOTDIR and have only a limited number of
utilies (setup-chrootdir only provides 'ls')

If it does not work check the syslog files to see the messages
related to PAM (should include pam_chroot[XXXX]: session messages
due to the 'debug' option being set)

Are you sure you want to use pam_chroot for that? Chroot functionality was recently added to OpenSSH itself. If you want to proceed, which version of pam_chroot are you using and did you read the troubleshooting doc (syslog socket)? Which PAM configs did you add pam_chroot to? What does it or what do they look like?

To be honest I just want the jail facility if this is in OpenSSH itself then I would be more than happy to use that. Are there any good HOWTOs you can suggest?

How about perusing the OpenSSH docs? ;-p

Had a look around but can't find anything on the openssh website:

http://www.openssh.com

Little help with direction please

If you look in the openssh-5.1p1 package (or earlier, it was added to 4.8 I think) at the manual pages for sshd_config you'll see some references:
On the other hand, if you want to proceed with pam_chroot, which version are you using and did you read the troubleshooting doc (syslog socket)? Which PAM configs did you add pam_chroot to? What does it or what do they look like?

version:
libpam-chroot (0.9-1)

Added the following line to /etc/pam.d/ssh:

session required pam_chroot.so debug

And I think it's suppose to output to the syslog under /var/log which looks like

Aug 4 15:31:20 localhost afpd[3270]: uam: loading (/usr/lib/netatalk/uams_dhx.so)
Aug 4 15:31:20 localhost afpd[3270]: uam: uam not found (status=-1)
Aug 4 15:31:20 localhost afpd[3270]: uam: loading (/usr/lib/netatalk/uams_clrtxt.so)
Aug 4 15:31:20 localhost afpd[3270]: uam: uams_clrtxt.so loaded
Aug 4 15:31:20 localhost afpd[3270]: uam: loading (/usr/lib/netatalk/uams_randnum.so)
Aug 4 15:31:20 localhost afpd[3270]: uam: uam not found (status=-1)
Aug 4 15:31:20 localhost afpd[3270]: uam: "Cleartxt Passwrd" available
Aug 4 15:33:01 localhost /USR/SBIN/CRON[3577]: (nobody) CMD ([ -x /usr/share/sa-exim/greylistclean ] && /usr/share/sa-exim/greylistclean)
Aug 4 15:33:01 localhost sa-exim[3578]: Removed 0 of 0 greylist tuplets in 0 seconds
Aug 4 15:33:01 localhost sa-exim[3578]: Removed 0 of 0 greylist directories in 0 seconds
Aug 4 15:35:29 localhost dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 8
Aug 4 15:35:37 localhost dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 15
Aug 4 15:35:52 localhost dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 19

Your "localhost PAM-env[19404]: Unable to open config file: No such file or directory" line points to it looking for CHROOTDIR/etc/security/ and CHROOTDIR/etc/environment where your pam_env stuff is. If you don't see any logging inside your chroot, mkdir CHROOTDIR/dev/ and restart Syslogd with "-a CHROOTDIR/dev/log". Wrt PAM and SSH the pam_chroot docs specifically points to "ChallengeResponseAuthentication" and "UsePAM" sshd_config options. Please read that again?

Thanks I will try that and get back to you.

Thanks alot UnSpawn

First off I apologise I didn't read through the entire document plus I used the readme which clearly was inadequete in covering all areas of the chroot process.

After going through the doc I found

debootstrap sid /sid-root http://ftp.debian.org/debian/

which I setup on the bob user and used the appropriate directory.

I seems to have installed a version of the debian - which might have been a little overkill but the environment now works just fine.

What can I cut out to make it a lighter environment?

Thanks

Dan

No need to apologise, after all it's *you* who has been doing all the work :-] To cut out stuff you first want a list of packages: chroot into your chroot, run 'dpkg -l' (or 'dpkg -l | grep ^i' for only installed packages?), output to a file, edit out those you know you need, then post the list of packages you're unsure about. Wrt removal it would also be good to know what you want to do with this chroot (reason).

The aim would be to have a bare basics chroot environment so applications can SSH to the server and tunnel through to the MySQL server. When I did the boot strap it seems to have everything that the main debian server has (folder wise).