Login

xDamox · 2005-03-25, 05:10 PM

Hi,

I was wanting to setup SSH so that users SSHing into my machine would be in a chroot. well

I notice PAM supports this feature so heres what I did:

first I added a user to the machine called test I issued the following command:

Code:
system-config-users

Once I added my user I when to the /etc/security/chroot.conf and added the following:

Code:
test /home/test

Once that was done I when to /etc/pam.d and edited the SSHD file and added the following:

Code:
session    required      pam_chroot.so

Now that I did that I edited sshd_config to use pam and also set UsePrivilegeSeparation value

to no. now that was done I did:

Code:
service sshd restart

and when I did ssh -l test localhost I logged into test and was able to cd /

the security logs show the following info:

Code:
Mar 25 15:56:07 localhost sshd[6432]: Failed gssapi-with-mic for test from ::ffff:127.0.0.1 port 33182 ssh2

Mar 25 15:56:07 localhost sshd[6432]: Failed gssapi-with-mic for test from ::ffff:127.0.0.1 port 33182 ssh2

Mar 25 15:56:10 localhost sshd[6432]: Accepted password for test from ::ffff:127.0.0.1 port 33182 ssh2

Mar 25 15:56:10 localhost pam_chroot[6433]: /home/test is writable by non-root

any ideas?

znx · 2005-03-25, 05:18 PM

non writable root.. did you... chown test:users /home/test ??

also you need to add bash into that root remember..

mkdir /home/test/bin

cp bash /home/test/bin

also the libs bash needs etc

ldd /bin/bash

then copy all the binaries+all the libs associated.. into the root ..

otherwise the user has nothing to use.. ?

znx · 2005-03-25, 06:26 PM

Here is an example:

Code:
# cd /home/

# mkdir chroot

# cd chroot/

# mkdir bin lib

# cp /bin/bash bin/

# ldd /bin/bash

libncurses.so.5 => /lib/libncurses.so.5 (0x40025000)

       libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x40062000)

       libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40065000)

       /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

# cp /lib/libncurses.so.5 lib/

# mkdir lib/tls/i686/cmov -p

# cp /lib/ld-linux.so.2 lib/

# cp /lib/tls/i686/cmov/{libdl.so.2,libc.so.6} lib/

# cd

# chroot /home/chroot/ /bin/bash

bash-2.05b# ls

bash: ls: command not found

bash-2.05b# exit

You can see that no other executables are available.. so you need to copy those and their libraries.... but thats it.

znx · 2005-03-25, 06:41 PM

Although this chats about Debian.. it looks real good...

debian chroot ssh howto

xDamox · 2005-03-25, 07:48 PM

Did you manage to get this to work with SSH and the /etc/security/chroot.conf

znx · 2005-03-25, 07:51 PM

OK..

After chattin with xDamox in #linux-noob. I discovered that maybe the problem wasn't quite as simple as I thought ;)

After setting up the minimal 'jail' from above step in here....

So here goes:

First off install ssh (must be the PAM enabled version)and you also need the libpam_chroot module.

Ok so they should be installed.

Then edit "/etc/pam.d/ssh".

Code:
# PAM config for ssh

auth       required     pam_nologin.so

auth       required     pam_env.so # [1]

@include common-auth

@include common-account

@include common-session

session    optional     pam_motd.so # [1]

session    optional     pam_mail.so standard noenv # [1]

# heres the chroot for ssh users '/etc/security/chroot.conf'

session required pam_chroot.so

@include common-password

#if you have this comment it out.. it cause problems (like instance logout;))

#session    required     pam_limits.so

Hopefully a pam 'head' can explain why the limit file gives difficulties... probably something simple.

Ok so now when ssh uses pam it should use the pam_chroot. Thats what we just setup. Now we need to tell ssh to actaully use it [img]<___base_url___>/uploads/emoticons/default_laugh.png[/img]

Edit "/etc/ssh/sshd_config". I'm not going to put in the WHOLE sshd_config file here just the two lines that require to be set the ... represent the rest of the file.

Code:
#normally this is yes.. so switch to no

UsePrivilegeSeparation no

#normally this is yes...but check

UsePAM yes

Ok it should be stressed that you should NEVER run ssh with UsePriv.. set to no unless you plan on chroot'in. This basically gives ssh the ability to be root, this can lead to real dangers. We need it to run as root because we cannot chroot the user into the new chroot enviroment unless we are root.

Right.. so sshd is ready... Now to finish off the PAM setup.

Edit "/etc/security/chroot.conf"

Code:
znx /home/chroot

NOW we're ready.... Restart your ssh daemon to get the new config:

Code:
/etc/init.d/sshd restart

Well thats it. The ssh daemon will now force a user into the chroot 'jail' using PAM. Lets test...

Code:
# ssh -l znx localhost

Password: *******

Last login: Fri Mar 25 19:28:08 2005 from localhost.localdomain

-bash-2.05b$ ls

-bash: ls: command not found

-bash-2.05b$ logout

Connection to ubuntu closed.

#

Woot.. were there.. that's it.. now you can add the binaries/libraries that you wish to allow the user access to (mv cp ls, etc).

Be careful of course... no suid binaries should ever be installed these will basically give the change for your chroot 'jail' to be compromised.

You may think about renaming bash to rbash to be a little more aggressive in the restrictions of your shell.

hijinks · 2005-03-25, 08:15 PM

follow this site..

[/url][url=http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/]http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/

it has a really nice script that will setup a chroot jail for a user

Login
Username/Email:
Password:	Lost Password?
	Remember me