[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ssh with libpam_chroot



Hello!

Starting with sarge, I have had set up a server for a number of users (>300) 
which are able to login via ssh, everyone in his own changerooted home 
directory.  Setting up so has been recommended in "Anleitung zum Absichern 
von Debian".

Therefore, I am using libpam_chroot. A single changeroot directory is used as 
a "master changeroot directory" and and all (system) files in each users 
change-root environment, excluding the user's own data, are hard links to the 
files in this “master environment”.
The change-root environment has a static /dev directory and it is not 
necessary to mount any additional file-system. 
With this configuration, the update to etch made no problem. 

If I investigated correctly, 2 huge changings are necessary to make the 
changeroot work:

1) The /proc – file system must be mounted into every changed directory. 
Otherwise, ssh-logins are interrupted with the message:
Connection reset by peer
Connection to 10.7.19.173 closed.

2) The same must be done with /dev/pts. 
Otherwise, the ssh-login freezes after the authentication while the 
message “PTY allocation request failed on channel 0”.

Doing this would lead to mounting /proc and /dev/pts into every single one of 
the 300 chroot-environments for my users. 

Is this intended, is it a bug or is it not longer recommended to use a 
changeroot environment for each user?

Regards
Matthias Faulstich


Reply to: