Bug#586480: marked as done (openssh-server: chroot directive is not working when using FISH (File transfer of shell with midnight commander))

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 17 Jul 2010 20:04:46 +0200 (CEST)
with message-id <alpine.DEB.1.10.1007172003210.9287@eru.sfritsch.de>
and subject line Re: Bug#586480: openssh-server: chroot directive is not working when using FISH (File transfer of shell with midnight commander)
has caused the Debian Bug report #586480,
regarding openssh-server: chroot directive is not working when using FISH (File transfer of shell with midnight commander)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
586480: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586480
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: chroot directive is not working when using FISH (File transfer of shell with midnight commander)
• From: Andre Rodier <andre.rodier@gmail.com>
• Date: Sat, 19 Jun 2010 22:30:44 +0100
• Message-id: <20100619213044.4226.3545.reportbug@transfer.red2.co.uk>

Package: openssh-server
Version: 1:5.1p1-5
Severity: critical
Tags: security
Justification: root security hole

Hello,

I have successfully configured my ssh server to chroot users, by followinf the directives described here:
http://www.debian-administration.org/articles/590 ie. OpenSSH SFTP chroot() with ChrootDirectory

The chroot option seems to work well when I use the sftp command, ie I cannot see any directory at all.

However, if I use the fish protocol [1] included in midnight commander, I can see the full filesystem hierarchy,
and even transfer files from the etc folder, etc...

I don't know if it's a configuration problem on my side, but if there is an option do disallow fish
when using chroot, that need to be explicitly specified. Otherwise, debian users may relay
on a chrooted server that can be bypassed by a simple manipulation...


[1] http://en.wikipedia.org/wiki/Files_transferred_over_shell_protocol

Kind regards,
André Rodier.

Here my ssh config: See the end for chroot config

-----8<------------------------------------------------------------
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel DEBUG

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

UsePAM no
UseDNS no

#ChrootDirectory 
# Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
	AllowAgentForwarding no
        ForceCommand internal-sftp
-----8<------------------------------------------------------------

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  dpkg            1.14.29                  Debian package management system
ii  libc6           2.7-18lenny4             GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny4 MIT Kerberos runtime libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libselinux1     2.0.65-5                 SELinux shared libraries
ii  libssl0.9.8     0.9.8g-15+lenny6         SSL shared libraries
ii  libwrap0        7.6.q-16                 Wietse Venema's TCP wrappers libra
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  openssh-blackli 0.4.1                    list of default blacklisted OpenSS
ii  openssh-client  1:5.1p1-5                secure shell client, an rlogin/rsh
ii  procps          1:3.2.7-11               /proc file system utilities
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

Versions of packages openssh-server recommends:
pn  openssh-blacklist-extra       <none>     (no description available)
pn  xauth                         <none>     (no description available)

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

--- End Message ---

--- Begin Message ---

• To: Andre Rodier <andre.rodier@gmail.com>
• Cc: 586480-done@bugs.debian.org
• Subject: Re: Bug#586480: openssh-server: chroot directive is not working when using FISH (File transfer of shell with midnight commander)
• From: Stefan Fritsch <sf@sfritsch.de>
• Date: Sat, 17 Jul 2010 20:04:46 +0200 (CEST)
• Message-id: <alpine.DEB.1.10.1007172003210.9287@eru.sfritsch.de>
• In-reply-to: <4C1DCE88.3020605@gmail.com>
• References: <20100619213044.4226.3545.reportbug@transfer.red2.co.uk> <201006200932.08288.sf@sfritsch.de> <4C1DCE88.3020605@gmail.com>

On Sun, 20 Jun 2010, Andre Rodier wrote:

This morning, I am sorry, I cannot reproduce the bug anymore, but I am pretty sure to have used the same account yesterday.

I am closing this bug. Feel free to re-open it if you can reproduce the problem.

Cheers,
Stefan

--- End Message ---