Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
chrooting SSH on Fedora Core 3

First off install ssh (must be the PAM enabled version)and you also need the libpam_chroot module.

if you have install ssh by default on fedora this module is installed :)


Ok so they should be installed.


Then edit "/etc/pam.d/sshd".


auth       required service=system-auth
auth       required
account    required service=system-auth
password   required service=system-auth
session    required service=system-auth
session    required


if you do have in the sshd config file comment it out with a # or remove the line

Hopefully a pam 'head' can explain why the limit file gives difficulties... probably something simple.


Ok so now when ssh uses pam it should use the pam_chroot. Thats what we just setup. Now we need to tell ssh to actaully use it [img]<___base_url___>/uploads/emoticons/default_laugh.png[/img]


Edit "/etc/ssh/sshd_config". I'm not going to put in the WHOLE sshd_config file here just the two lines that require to be set the ... represent the rest of the file.


#normally this is yes.. so switch to no
UsePrivilegeSeparation no

#normally this is yes...but check
UsePAM yes


Ok it should be stressed that you should NEVER run ssh with UsePriv.. set to no unless you plan on chroot'in. This basically gives ssh the ability to be root, this can lead to real dangers. We need it to run as root because we cannot chroot the user into the new chroot enviroment unless we are root.


Right.. so sshd is ready... Now to finish off the PAM setup.


Edit "/etc/security/chroot.conf"


znx /home/chroot


NOW we're ready.... Restart your ssh daemon to get the new config:


/etc/init.d/sshd restart


Once you have got this far you will want to chown /home/znx to root:root


chown root.root /home/znx


The finally change the permission to 755


chmod 755 /home/znx


you will need to add the binarys and library files to the chroot as shown below:


# cd /home/
# mkdir chroot
# cd chroot/
# mkdir bin lib
# cp /bin/bash bin/
# ldd /bin/bash => /lib/ (0x40025000) => /lib/tls/i686/cmov/ (0x40062000) => /lib/tls/i686/cmov/ (0x40065000)
      /lib/ => /lib/ (0x40000000)
# cp /lib/ lib/
# mkdir lib/tls/i686/cmov -p
# cp /lib/ lib/
# cp /lib/tls/i686/cmov/{,} lib/
# cd
# chroot /home/chroot/ /bin/bash
bash-2.05b# ls
bash: ls: command not found
bash-2.05b# exit


Well thats it. The ssh daemon will now force a user into the chroot 'jail' using PAM. Lets test...


# ssh -l znx localhost
Password: *******
Last login: Fri Mar 25 19:28:08 2005 from localhost.localdomain
-bash-2.05b$ ls
-bash: ls: command not found
-bash-2.05b$ logout
Connection to ubuntu closed.


Jy provided a link to the following site with a script that will move the binarys and librarys to the chrooted dir:




This guide was produced by znx and edited by xDamox ;) many thanks to znx


Nice xdamox/znx cool tutorial



keep them coming






Note!!!!! VERY important note.


I just tried this walkthrough on RH9, Fedora Core 2, and Redhat Enterprise 4.


It doesnt work, and infact kills sshd. the "UsePam" feature doesnt exist in any of the versions i tried and therefor fails on restarting sshd.


What distro was this figured out for?

This works fine on Fedora core 3
Already verified that the version has support for pam.

Quote:Already verified that the version has support for pam.



and ?


Forum Jump:

Users browsing this thread: 1 Guest(s)