Jump to content

chrooting SSH on Fedora Core 3


Recommended Posts

First off install ssh (must be the PAM enabled version)and you also need the libpam_chroot module.

if you have install ssh by default on fedora this module is installed :)

 

Ok so they should be installed.

 

Then edit "/etc/pam.d/sshd".

 

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_chroot.so

 

if you do have pam_limits.so in the sshd config file comment it out with a # or remove the line

Hopefully a pam 'head' can explain why the limit file gives difficulties... probably something simple.

 

Ok so now when ssh uses pam it should use the pam_chroot. Thats what we just setup. Now we need to tell ssh to actaully use it :lol:

 

Edit "/etc/ssh/sshd_config". I'm not going to put in the WHOLE sshd_config file here just the two lines that require to be set the ... represent the rest of the file.

 

#normally this is yes.. so switch to no
UsePrivilegeSeparation no

#normally this is yes...but check
UsePAM yes

 

Ok it should be stressed that you should NEVER run ssh with UsePriv.. set to no unless you plan on chroot'in. This basically gives ssh the ability to be root, this can lead to real dangers. We need it to run as root because we cannot chroot the user into the new chroot enviroment unless we are root.

 

Right.. so sshd is ready... Now to finish off the PAM setup.

 

Edit "/etc/security/chroot.conf"

 

znx /home/chroot

 

NOW we're ready.... Restart your ssh daemon to get the new config:

 

/etc/init.d/sshd restart

 

Once you have got this far you will want to chown /home/znx to root:root

 

chown root.root /home/znx

 

The finally change the permission to 755

 

chmod 755 /home/znx

 

you will need to add the binarys and library files to the chroot as shown below:

 

# cd /home/
# mkdir chroot
# cd chroot/
# mkdir bin lib
# cp /bin/bash bin/
# ldd /bin/bash
libncurses.so.5 => /lib/libncurses.so.5 (0x40025000)
      libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x40062000)
      libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40065000)
      /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# cp /lib/libncurses.so.5 lib/
# mkdir lib/tls/i686/cmov -p
# cp /lib/ld-linux.so.2 lib/
# cp /lib/tls/i686/cmov/{libdl.so.2,libc.so.6} lib/
# cd
# chroot /home/chroot/ /bin/bash
bash-2.05b# ls
bash: ls: command not found
bash-2.05b# exit

 

Well thats it. The ssh daemon will now force a user into the chroot 'jail' using PAM. Lets test...

 

# ssh -l znx localhost
Password: *******
Last login: Fri Mar 25 19:28:08 2005 from localhost.localdomain
-bash-2.05b$ ls
-bash: ls: command not found
-bash-2.05b$ logout
Connection to ubuntu closed.

 

Jy provided a link to the following site with a script that will move the binarys and librarys to the chrooted dir:

 

http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/

 

This guide was produced by znx and edited by xDamox ;) many thanks to znx

Link to post
Share on other sites

Note!!!!! VERY important note.

 

I just tried this walkthrough on RH9, Fedora Core 2, and Redhat Enterprise 4.

 

It doesnt work, and infact kills sshd. the "UsePam" feature doesnt exist in any of the versions i tried and therefor fails on restarting sshd.

 

What distro was this figured out for?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...