Re: chroot and OpenSSH

To: debian-isp@lists.debian.org
Subject: Re: chroot and OpenSSH
From: Aaron Ghent <dementia@tembel.org>
Date: Fri, 3 Aug 2001 17:18:45 +0000
Message-id: <[🔎] 20010803171845.B5884@challah.msrl.com>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 3B6AD95D.D050D035@brainlink.com>; from eirikdentz@brainlink.com on Fri, Aug 03, 2001 at 01:03:24PM -0400
References: <[🔎] 3B6AADE6.B49E9B24@brainlink.com> <[🔎] 20010803152447.F1519@challah.msrl.com> <[🔎] 3B6AD95D.D050D035@brainlink.com>

> Aaron Ghent wrote:
> > 
> > > I don't have much experience with chroot, but I want to set up an SSH
> > > access for a user and restrict them to their home directory.
> > >
> > > I've done a little research and found out that the commercial SSH2
> > > provides "ChRootUsers" and "ChRootGroups" configuration directives.
> > > While I suppose that I could install SSH2 because their licensing allows
> > > for free use with the Linux OS, I would rather stick with OpenSSH, which
> > > is what I'm using now.
> > >
> > > According to the O'Reilly SSH book SSH2 is the only implementation of
> > > SSH with those directives built in.  I decided to poke around on the
> > > OpenSSH mailing lists to see if there was any discussion of adding a
> > > similar feature to OpenSSH and it looks like there is/was an unofficial
> > > patch in the CVS but it was never incorporated into the official OpenSSH
> > > distro and subsequently not in the Linux port of OpenSSH.  And I
> > > certainly don't know enough to try to port the patch myself.
> > >
> > > Then I tried the following which probably indicates my ignorance of the
> > > Linux/SSH/login process, I tried changing  the user's shell: "/bin/bash"
> > > to a shell script with: usermod -s /bin/usr_login.sh which contained one line:
> > >
> > > chroot /path/to/userhomedir /bin/bash
> > >
> > > This fails, and I'm pretty sure that I know why, but I wanted to seek
> > > advice and guidance from those of you who might have experience with
> > > this before proceeding.
> > 
> > Did you add '/bin/usr_login.sh' to /etc/shells?
> 
> Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm
> still getting the same error message as before:
> 
> chroot: cannot change root directory to /home/userdir: Operation not permitted

I'm not sure what they should be, but this looks like a permissions
problem.  Try adding global execute permissions to '/home/userdir'.
This might or might not be a security hole.  I don't see anything
obvious.  

You do understand that by chroot-ing a user, you need to put
all the commands and libraries into the chroot-ed directory.  (At least
the commands that user will use).

> In addition these are the corresponding lines from my /var/log/messages:
> 
> Aug  3 12:16:22 server1 sshd[1770]: Accepted password for user1 from
> xxx.xxx.xxx.xxx port 49155 ssh2
> Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session opened for user
> user1 by (uid=0)
> Aug  3 12:16:22 server1 sshd[1770]: fatal: session_input_channel_req:
> channel 0: no session
> Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session closed for user user1
> 
> Thanks for the response.  Nice sig.

Thank you. 

> > > Thanks in advance,
> > >
> > > eirik

-- 
Aaron Ghent.

You're not going crazy!  
You're going sane... 
In a crazy world!
                 -- The Tick

Reply to:

Follow-Ups:
- Re: chroot and OpenSSH
  - From: Eirik Dentz <eirikdentz@brainlink.com>

References:
- chroot and OpenSSH
  - From: Eirik Dentz <eirikdentz@brainlink.com>
- Re: chroot and OpenSSH
  - From: Aaron Ghent <dementia@tembel.org>
- Re: chroot and OpenSSH
  - From: Eirik Dentz <eirikdentz@brainlink.com>

Prev by Date: Re: chroot and OpenSSH
Next by Date: Re: chroot and OpenSSH
Previous by thread: Re: chroot and OpenSSH
Next by thread: Re: chroot and OpenSSH
Index(es):
- Date
- Thread