Re: chroot and OpenSSH
I'm happy to report that it did work. I had to apply the third "hunk" of the patch manually since the OpenSSH source code had changed slightly on the effected lines since the patch had been submitted, but once it was applied, it compiled without any problem and is working as it should. Following Jeremy Reed's suggestion I've opted to hard link the libs and bins rather than copying them. Thanks for the suggestion, it is working quite well, but in the course of making these links I've come up against another probably clueless question: According to the "ln" manpage and info page, the super user can hard link directories by setting the -d or -F options. For some reason I cannot get this option to work, even though I have tried it with a variety of directories, with different permissions, but all located on the same filesystem. I did some digging around for more documentation on hard links, but the most prominent thing that I found was contrary to the man page, but consistent with my experience in that it said that one couldn't hard link directories. Anyone know of a somewhat definitive documentation on hard links, preferrably with examples? Thanks again to everyone who responded. eirik Frank Louwers wrote: > > > > Thanks for taking the time to answer my somewhat clueless questions. > > np ;) and let us know if it works ... > > Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
chroot and OpenSSH
I don't have much experience with chroot, but I want to set up an SSH access for a user and restrict them to their home directory. I've done a little research and found out that the commercial SSH2 provides "ChRootUsers" and "ChRootGroups" configuration directives. While I suppose that I could install SSH2 because their licensing allows for free use with the Linux OS, I would rather stick with OpenSSH, which is what I'm using now. According to the O'Reilly SSH book SSH2 is the only implementation of SSH with those directives built in. I decided to poke around on the OpenSSH mailing lists to see if there was any discussion of adding a similar feature to OpenSSH and it looks like there is/was an unofficial patch in the CVS but it was never incorporated into the official OpenSSH distro and subsequently not in the Linux port of OpenSSH. And I certainly don't know enough to try to port the patch myself. Then I tried the following which probably indicates my ignorance of the Linux/SSH/login process, I tried changing the user's shell: "/bin/bash" to a shell script with: usermod -s /bin/usr_login.sh which contained one line: chroot /path/to/userhomedir /bin/bash This fails, and I'm pretty sure that I know why, but I wanted to seek advice and guidance from those of you who might have experience with this before proceeding. Thanks in advance, eirik begin:vcard n:Dentz;Eirik tel;work:212-455-9830 x-mozilla-html:FALSE adr:;; version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;1 fn:Eirik Dentz end:vcard
Re: chroot and OpenSSH
> Aaron Ghent wrote: > > > > > I don't have much experience with chroot, but I want to set up an SSH > > > access for a user and restrict them to their home directory. > > > > > > I've done a little research and found out that the commercial SSH2 > > > provides "ChRootUsers" and "ChRootGroups" configuration directives. > > > While I suppose that I could install SSH2 because their licensing allows > > > for free use with the Linux OS, I would rather stick with OpenSSH, which > > > is what I'm using now. > > > > > > According to the O'Reilly SSH book SSH2 is the only implementation of > > > SSH with those directives built in. I decided to poke around on the > > > OpenSSH mailing lists to see if there was any discussion of adding a > > > similar feature to OpenSSH and it looks like there is/was an unofficial > > > patch in the CVS but it was never incorporated into the official OpenSSH > > > distro and subsequently not in the Linux port of OpenSSH. And I > > > certainly don't know enough to try to port the patch myself. > > > > > > Then I tried the following which probably indicates my ignorance of the > > > Linux/SSH/login process, I tried changing the user's shell: "/bin/bash" > > > to a shell script with: usermod -s /bin/usr_login.sh which contained one line: > > > > > > chroot /path/to/userhomedir /bin/bash > > > > > > This fails, and I'm pretty sure that I know why, but I wanted to seek > > > advice and guidance from those of you who might have experience with > > > this before proceeding. > > > > Did you add '/bin/usr_login.sh' to /etc/shells? > > Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm > still getting the same error message as before: > > chroot: cannot change root directory to /home/userdir: Operation not permitted I'm not sure what they should be, but this looks like a permissions problem. Try adding global execute permissions to '/home/userdir'. This might or might not be a security hole. I don't see anything obvious. You do understand that by chroot-ing a user, you need to put all the commands and libraries into the chroot-ed directory. (At least the commands that user will use). > In addition these are the corresponding lines from my /var/log/messages: > > Aug 3 12:16:22 server1 sshd[1770]: Accepted password for user1 from > xxx.xxx.xxx.xxx port 49155 ssh2 > Aug 3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session opened for user > user1 by (uid=0) > Aug 3 12:16:22 server1 sshd[1770]: fatal: session_input_channel_req: > channel 0: no session > Aug 3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session closed for user user1 > > Thanks for the response. Nice sig. Thank you. > > > Thanks in advance, > > > > > > eirik -- Aaron Ghent. You're not going crazy! You're going sane... In a crazy world! -- The Tick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chroot and OpenSSH
> > > > Then I tried the following which probably indicates my ignorance of the > > > > Linux/SSH/login process, I tried changing the user's shell: "/bin/bash" > > > > to a shell script with: usermod -s /bin/usr_login.sh which contained one line: > > > > > > > > chroot /path/to/userhomedir /bin/bash > > > > > > > > This fails, and I'm pretty sure that I know why, but I wanted to seek > > > > advice and guidance from those of you who might have experience with > > > > this before proceeding. > > > > > > Did you add '/bin/usr_login.sh' to /etc/shells? > > > > Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm > > still getting the same error message as before: > > > > chroot: cannot change root directory to /home/userdir: Operation not permitted > > I'm not sure what they should be, but this looks like a permissions > problem. Try adding global execute permissions to '/home/userdir'. > This might or might not be a security hole. I don't see anything > obvious. I think Frank and Alans' responses (pasted below) are correct (I had a feeling this was the problem). Only root can do a chroot. So best thing to do would be to dig into the code and add a chroot() call just before the setuid ... chroot has to be run as root (ie. before a process drops privileges). You can't run it as a user. So the the shell actually runs as a process owned by the user... Of course, what a dummy I am! So I need the SSHD process to do the chroot prior to authentication (and starting of the shell...) Hmm any idea if that is possible, without getting into OpenSSH's source code? I'm starting to think it might just be easier to switch to SSH2... > You do understand that by chroot-ing a user, you need to put > all the commands and libraries into the chroot-ed directory. (At least > the commands that user will use). Yes, this is in fact exactly what i want. > > In addition these are the corresponding lines from my /var/log/messages: > > > > Aug 3 12:16:22 server1 sshd[1770]: Accepted password for user1 from > > xxx.xxx.xxx.xxx port 49155 ssh2 > > Aug 3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session opened for user > > user1 by (uid=0) > > Aug 3 12:16:22 server1 sshd[1770]: fatal: session_input_channel_req: > > channel 0: no session > > Aug 3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session closed for user user11 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chroot and OpenSSH
> > > chroot /path/to/userhomedir /bin/bash > chroot: cannot change root directory to /home/userdir: Operation not permitted Only root can do a chroot. So best thing to do would be to dig into the code and add a chroot() call just before the setuid ... Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chroot and OpenSSH
> Thanks for taking the time to answer my somewhat clueless questions. np ;) and let us know if it works ... Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chroot and OpenSSH
> I don't have much experience with chroot, but I want to set up an SSH > access for a user and restrict them to their home directory. > > I've done a little research and found out that the commercial SSH2 > provides "ChRootUsers" and "ChRootGroups" configuration directives. > While I suppose that I could install SSH2 because their licensing allows > for free use with the Linux OS, I would rather stick with OpenSSH, which > is what I'm using now. > > According to the O'Reilly SSH book SSH2 is the only implementation of > SSH with those directives built in. I decided to poke around on the > OpenSSH mailing lists to see if there was any discussion of adding a > similar feature to OpenSSH and it looks like there is/was an unofficial > patch in the CVS but it was never incorporated into the official OpenSSH > distro and subsequently not in the Linux port of OpenSSH. And I > certainly don't know enough to try to port the patch myself. > > Then I tried the following which probably indicates my ignorance of the > Linux/SSH/login process, I tried changing the user's shell: "/bin/bash" > to a shell script with: usermod -s /bin/usr_login.sh which contained one line: > > chroot /path/to/userhomedir /bin/bash > > This fails, and I'm pretty sure that I know why, but I wanted to seek > advice and guidance from those of you who might have experience with > this before proceeding. Did you add '/bin/usr_login.sh' to /etc/shells? > Thanks in advance, > > eirik -- Aaron Ghent. You're not going crazy! You're going sane... In a crazy world! -- The Tick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]