Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
chrooting SSH on Fedora Core 3
#1

First off install ssh (must be the PAM enabled version)and you also need the libpam_chroot module.

if you have install ssh by default on fedora this module is installed :)

 

Ok so they should be installed.

 

Then edit "/etc/pam.d/sshd".

 



Code:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_chroot.so




 

if you do have pam_limits.so in the sshd config file comment it out with a # or remove the line

Hopefully a pam 'head' can explain why the limit file gives difficulties... probably something simple.

 

Ok so now when ssh uses pam it should use the pam_chroot. Thats what we just setup. Now we need to tell ssh to actaully use it [img]<___base_url___>/uploads/emoticons/default_laugh.png[/img]

 

Edit "/etc/ssh/sshd_config". I'm not going to put in the WHOLE sshd_config file here just the two lines that require to be set the ... represent the rest of the file.

 



Code:
#normally this is yes.. so switch to no
UsePrivilegeSeparation no

#normally this is yes...but check
UsePAM yes




 

Ok it should be stressed that you should NEVER run ssh with UsePriv.. set to no unless you plan on chroot'in. This basically gives ssh the ability to be root, this can lead to real dangers. We need it to run as root because we cannot chroot the user into the new chroot enviroment unless we are root.

 

Right.. so sshd is ready... Now to finish off the PAM setup.

 

Edit "/etc/security/chroot.conf"

 



Code:
znx /home/chroot




 

NOW we're ready.... Restart your ssh daemon to get the new config:

 



Code:
/etc/init.d/sshd restart




 

Once you have got this far you will want to chown /home/znx to root:root

 



Code:
chown root.root /home/znx




 

The finally change the permission to 755

 



Code:
chmod 755 /home/znx




 

you will need to add the binarys and library files to the chroot as shown below:

 



Code:
# cd /home/
# mkdir chroot
# cd chroot/
# mkdir bin lib
# cp /bin/bash bin/
# ldd /bin/bash
libncurses.so.5 => /lib/libncurses.so.5 (0x40025000)
      libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x40062000)
      libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40065000)
      /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# cp /lib/libncurses.so.5 lib/
# mkdir lib/tls/i686/cmov -p
# cp /lib/ld-linux.so.2 lib/
# cp /lib/tls/i686/cmov/{libdl.so.2,libc.so.6} lib/
# cd
# chroot /home/chroot/ /bin/bash
bash-2.05b# ls
bash: ls: command not found
bash-2.05b# exit




 

Well thats it. The ssh daemon will now force a user into the chroot 'jail' using PAM. Lets test...

 



Code:
# ssh -l znx localhost
Password: *******
Last login: Fri Mar 25 19:28:08 2005 from localhost.localdomain
-bash-2.05b$ ls
-bash: ls: command not found
-bash-2.05b$ logout
Connection to ubuntu closed.




 

Jy provided a link to the following site with a script that will move the binarys and librarys to the chrooted dir:

 

[/url][url=http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/]http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/

 

This guide was produced by znx and edited by xDamox ;) many thanks to znx

Reply
#2

Nice xdamox/znx cool tutorial

 

 

keep them coming

 

 

 

square

Reply
#3

Note!!!!! VERY important note.

 

I just tried this walkthrough on RH9, Fedora Core 2, and Redhat Enterprise 4.

 

It doesnt work, and infact kills sshd. the "UsePam" feature doesnt exist in any of the versions i tried and therefor fails on restarting sshd.

 

What distro was this figured out for?

Reply
#4
This works fine on Fedora core 3
Reply
#5
Quote:Note!!!!!
Reply
#6
Already verified that the version has support for pam.
Reply
#7

Quote:Already verified that the version has support for pam.

 

 

and pam_limits.so ?

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)