ssh with libpam_chroot
Hello!
Starting with sarge, I have had set up a server for a number of users (>300)
which are able to login via ssh, everyone in his own changerooted home
directory. Setting up so has been recommended in "Anleitung zum Absichern
von Debian".
Therefore, I am using libpam_chroot. A single changeroot directory is used as
a "master changeroot directory" and and all (system) files in each users
change-root environment, excluding the user's own data, are hard links to the
files in this “master environment”.
The change-root environment has a static /dev directory and it is not
necessary to mount any additional file-system.
With this configuration, the update to etch made no problem.
If I investigated correctly, 2 huge changings are necessary to make the
changeroot work:
1) The /proc – file system must be mounted into every changed directory.
Otherwise, ssh-logins are interrupted with the message:
Connection reset by peer
Connection to 10.7.19.173 closed.
2) The same must be done with /dev/pts.
Otherwise, the ssh-login freezes after the authentication while the
message “PTY allocation request failed on channel 0”.
Doing this would lead to mounting /proc and /dev/pts into every single one of
the 300 chroot-environments for my users.
Is this intended, is it a bug or is it not longer recommended to use a
changeroot environment for each user?
Regards
Matthias Faulstich
Reply to: