Re: chroot and OpenSSH
> Aaron Ghent wrote:
> > > I don't have much experience with chroot, but I want to set up an SSH
> > > access for a user and restrict them to their home directory.
> > >
> > > I've done a little research and found out that the commercial SSH2
> > > provides "ChRootUsers" and "ChRootGroups" configuration directives.
> > > While I suppose that I could install SSH2 because their licensing allows
> > > for free use with the Linux OS, I would rather stick with OpenSSH, which
> > > is what I'm using now.
> > >
> > > According to the O'Reilly SSH book SSH2 is the only implementation of
> > > SSH with those directives built in. I decided to poke around on the
> > > OpenSSH mailing lists to see if there was any discussion of adding a
> > > similar feature to OpenSSH and it looks like there is/was an unofficial
> > > patch in the CVS but it was never incorporated into the official OpenSSH
> > > distro and subsequently not in the Linux port of OpenSSH. And I
> > > certainly don't know enough to try to port the patch myself.
> > >
> > > Then I tried the following which probably indicates my ignorance of the
> > > Linux/SSH/login process, I tried changing the user's shell: "/bin/bash"
> > > to a shell script with: usermod -s /bin/usr_login.sh which contained one line:
> > >
> > > chroot /path/to/userhomedir /bin/bash
> > >
> > > This fails, and I'm pretty sure that I know why, but I wanted to seek
> > > advice and guidance from those of you who might have experience with
> > > this before proceeding.
> > Did you add '/bin/usr_login.sh' to /etc/shells?
> Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm
> still getting the same error message as before:
> chroot: cannot change root directory to /home/userdir: Operation not permitted
I'm not sure what they should be, but this looks like a permissions
problem. Try adding global execute permissions to '/home/userdir'.
This might or might not be a security hole. I don't see anything
You do understand that by chroot-ing a user, you need to put
all the commands and libraries into the chroot-ed directory. (At least
the commands that user will use).
> In addition these are the corresponding lines from my /var/log/messages:
> Aug 3 12:16:22 server1 sshd: Accepted password for user1 from
> xxx.xxx.xxx.xxx port 49155 ssh2
> Aug 3 12:16:22 server1 PAM_pwdb: (sshd) session opened for user
> user1 by (uid=0)
> Aug 3 12:16:22 server1 sshd: fatal: session_input_channel_req:
> channel 0: no session
> Aug 3 12:16:22 server1 PAM_pwdb: (sshd) session closed for user user1
> Thanks for the response. Nice sig.
> > > Thanks in advance,
> > >
> > > eirik
You're not going crazy!
You're going sane...
In a crazy world!
-- The Tick