Help - Search - Members - Calendar
Full Version: PAM Problems
linux-noob.com/forums > Linux Server Administration > Remote Access
xDamox
Mar 25 2005, 06:10 PM
Hi,

I was wanting to setup SSH so that users SSHing into my machine would be in a chroot. well
I notice PAM supports this feature so heres what I did:

first I added a user to the machine called test I issued the following command:

CODE
system-config-users


Once I added my user I when to the /etc/security/chroot.conf and added the following:

CODE
test /home/test


Once that was done I when to /etc/pam.d and edited the SSHD file and added the following:

CODE
session    required      pam_chroot.so


Now that I did that I edited sshd_config to use pam and also set UsePrivilegeSeparation value
to no. now that was done I did:

CODE
service sshd restart


and when I did ssh -l test localhost I logged into test and was able to cd /

the security logs show the following info:

CODE
Mar 25 15:56:07 localhost sshd[6432]: Failed gssapi-with-mic for test from ::ffff:127.0.0.1 port 33182 ssh2
Mar 25 15:56:07 localhost sshd[6432]: Failed gssapi-with-mic for test from ::ffff:127.0.0.1 port 33182 ssh2
Mar 25 15:56:10 localhost sshd[6432]: Accepted password for test from ::ffff:127.0.0.1 port 33182 ssh2
Mar 25 15:56:10 localhost pam_chroot[6433]: /home/test is writable by non-root


any ideas?
znx
Mar 25 2005, 06:18 PM
non writable root.. did you... chown test:users /home/test ??
also you need to add bash into that root remember..
mkdir /home/test/bin
cp bash /home/test/bin
also the libs bash needs etc
ldd /bin/bash
then copy all the binaries+all the libs associated.. into the root ..
otherwise the user has nothing to use.. ?
znx
Mar 25 2005, 07:26 PM
Here is an example:

CODE
# cd /home/
# mkdir chroot
# cd chroot/
# mkdir bin lib
# cp /bin/bash bin/
# ldd /bin/bash
    libncurses.so.5 => /lib/libncurses.so.5 (0x40025000)
       libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x40062000)
       libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40065000)
       /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# cp /lib/libncurses.so.5 lib/
# mkdir lib/tls/i686/cmov -p
# cp /lib/ld-linux.so.2 lib/
# cp /lib/tls/i686/cmov/{libdl.so.2,libc.so.6} lib/
# cd
# chroot /home/chroot/ /bin/bash
bash-2.05b# ls
bash: ls: command not found
bash-2.05b# exit


You can see that no other executables are available.. so you need to copy those and their libraries.... but thats it.
znx
Mar 25 2005, 07:41 PM
Although this chats about Debian.. it looks real good...

debian chroot ssh howto
xDamox
Mar 25 2005, 08:48 PM
Did you manage to get this to work with SSH and the /etc/security/chroot.conf
znx
Mar 25 2005, 08:51 PM
OK..

After chattin with xDamox in #linux-noob. I discovered that maybe the problem wasn't quite as simple as I thought wink.gif

After setting up the minimal 'jail' from above step in here....

So here goes:

First off install ssh (must be the PAM enabled version)and you also need the libpam_chroot module.

Ok so they should be installed.

Then edit "/etc/pam.d/ssh".
CODE
# PAM config for ssh
auth       required     pam_nologin.so
auth       required     pam_env.so # [1]
@include common-auth
@include common-account
@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]

# heres the chroot for ssh users '/etc/security/chroot.conf'
session required pam_chroot.so

@include common-password

#if you have this comment it out.. it cause problems (like instance logout;))
#session    required     pam_limits.so


Hopefully a pam 'head' can explain why the limit file gives difficulties... probably something simple.

Ok so now when ssh uses pam it should use the pam_chroot. Thats what we just setup. Now we need to tell ssh to actaully use it laugh.gif

Edit "/etc/ssh/sshd_config". I'm not going to put in the WHOLE sshd_config file here just the two lines that require to be set the ... represent the rest of the file.
CODE
#normally this is yes.. so switch to no
UsePrivilegeSeparation no

#normally this is yes...but check
UsePAM yes


Ok it should be stressed that you should NEVER run ssh with UsePriv.. set to no unless you plan on chroot'in. This basically gives ssh the ability to be root, this can lead to real dangers. We need it to run as root because we cannot chroot the user into the new chroot enviroment unless we are root.

Right.. so sshd is ready... Now to finish off the PAM setup.

Edit "/etc/security/chroot.conf"
CODE
znx /home/chroot


NOW we're ready.... Restart your ssh daemon to get the new config:
CODE
/etc/init.d/sshd restart


Well thats it. The ssh daemon will now force a user into the chroot 'jail' using PAM. Lets test...

CODE
# ssh -l znx localhost
Password: *******
Last login: Fri Mar 25 19:28:08 2005 from localhost.localdomain
-bash-2.05b$ ls
-bash: ls: command not found
-bash-2.05b$ logout
Connection to ubuntu closed.
#


Woot.. were there.. that's it.. now you can add the binaries/libraries that you wish to allow the user access to (mv cp ls, etc).

Be careful of course... no suid binaries should ever be installed these will basically give the change for your chroot 'jail' to be compromised.

You may think about renaming bash to rbash to be a little more aggressive in the restrictions of your shell.
hijinks
Mar 25 2005, 09:15 PM
follow this site..

http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/


it has a really nice script that will setup a chroot jail for a user
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.