Re: chroot and OpenSSH
Aaron Ghent wrote:
> > I don't have much experience with chroot, but I want to set up an SSH
> > access for a user and restrict them to their home directory.
> > I've done a little research and found out that the commercial SSH2
> > provides "ChRootUsers" and "ChRootGroups" configuration directives.
> > While I suppose that I could install SSH2 because their licensing allows
> > for free use with the Linux OS, I would rather stick with OpenSSH, which
> > is what I'm using now.
> > According to the O'Reilly SSH book SSH2 is the only implementation of
> > SSH with those directives built in. I decided to poke around on the
> > OpenSSH mailing lists to see if there was any discussion of adding a
> > similar feature to OpenSSH and it looks like there is/was an unofficial
> > patch in the CVS but it was never incorporated into the official OpenSSH
> > distro and subsequently not in the Linux port of OpenSSH. And I
> > certainly don't know enough to try to port the patch myself.
> > Then I tried the following which probably indicates my ignorance of the
> > Linux/SSH/login process, I tried changing the user's shell: "/bin/bash"
> > to a shell script with: usermod -s /bin/usr_login.sh which contained one line:
> > chroot /path/to/userhomedir /bin/bash
> > This fails, and I'm pretty sure that I know why, but I wanted to seek
> > advice and guidance from those of you who might have experience with
> > this before proceeding.
> Did you add '/bin/usr_login.sh' to /etc/shells?
Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm
still getting the same error message as before:
chroot: cannot change root directory to /home/userdir: Operation not permitted
In addition these are the corresponding lines from my /var/log/messages:
Aug 3 12:16:22 server1 sshd: Accepted password for user1 from
xxx.xxx.xxx.xxx port 49155 ssh2
Aug 3 12:16:22 server1 PAM_pwdb: (sshd) session opened for user
user1 by (uid=0)
Aug 3 12:16:22 server1 sshd: fatal: session_input_channel_req:
channel 0: no session
Aug 3 12:16:22 server1 PAM_pwdb: (sshd) session closed for user user1
Thanks for the response. Nice sig.
> > Thanks in advance,
> > eirik
> Aaron Ghent.
> You're not going crazy!
> You're going sane...
> In a crazy world!
> -- The Tick
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com