[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chroot and OpenSSH

Aaron Ghent wrote:
> > I don't have much experience with chroot, but I want to set up an SSH
> > access for a user and restrict them to their home directory.
> >
> > I've done a little research and found out that the commercial SSH2
> > provides "ChRootUsers" and "ChRootGroups" configuration directives.
> > While I suppose that I could install SSH2 because their licensing allows
> > for free use with the Linux OS, I would rather stick with OpenSSH, which
> > is what I'm using now.
> >
> > According to the O'Reilly SSH book SSH2 is the only implementation of
> > SSH with those directives built in.  I decided to poke around on the
> > OpenSSH mailing lists to see if there was any discussion of adding a
> > similar feature to OpenSSH and it looks like there is/was an unofficial
> > patch in the CVS but it was never incorporated into the official OpenSSH
> > distro and subsequently not in the Linux port of OpenSSH.  And I
> > certainly don't know enough to try to port the patch myself.
> >
> > Then I tried the following which probably indicates my ignorance of the
> > Linux/SSH/login process, I tried changing  the user's shell: "/bin/bash"
> > to a shell script with: usermod -s /bin/usr_login.sh which contained one line:
> >
> > chroot /path/to/userhomedir /bin/bash
> >
> > This fails, and I'm pretty sure that I know why, but I wanted to seek
> > advice and guidance from those of you who might have experience with
> > this before proceeding.
> Did you add '/bin/usr_login.sh' to /etc/shells?

Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm
still getting the same error message as before:

chroot: cannot change root directory to /home/userdir: Operation not permitted

In addition these are the corresponding lines from my /var/log/messages:

Aug  3 12:16:22 server1 sshd[1770]: Accepted password for user1 from
xxx.xxx.xxx.xxx port 49155 ssh2
Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session opened for user
user1 by (uid=0)
Aug  3 12:16:22 server1 sshd[1770]: fatal: session_input_channel_req:
channel 0: no session
Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session closed for user user1

Thanks for the response.  Nice sig.

> > Thanks in advance,
> >
> > eirik
> --
> Aaron Ghent.
> You're not going crazy!
> You're going sane...
> In a crazy world!
>                  -- The Tick
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: