PDA

View Full Version : Chrooted SSH HowTo question???


ctroyp
19th January 2006, 17:12
This looks like the perfect "how to" for what I am needing to do. What a present Falko! Thanks!

Before using the "how to" I wanted to make sure that there would not be any conflicts with my current setup. I am setup with "The Perfect Setup--Debian Sarge" w/ISPConfig.

Do you know of any potential issues I may run into?

falko
19th January 2006, 20:56
Make sure that you chroot your users to the right directory.

ctroyp
19th January 2006, 20:58
Make sure that you chroot your users to the right directory.
Sounds good. I think this is going to help me a lot...thanks!

ctroyp
28th January 2006, 16:59
falko,
I want to create specific users to access the respective web files. I have a website that a couple users need to access via SSH (/home/www/web5). Using the Chrooted SSH howto, it stated that he users would be jailed in /home/chroot. I don't want to provide them access to any other directories other than /home/www/web5. I am a little confused how to do this. Can you give me a little more guidance?

Thanks for any help...still a growing Linux newbie. :rolleyes:

falko
29th January 2006, 01:04
Instead of /home/chroot you can use /home/www.

ctroyp
11th February 2006, 22:34
falko, disregard the email I sent you today on the error I was getting. I fixed that.

I now have the users jailed as needed. Nice howto by the way.

The only problem is that once the user logs in, they do go to the appropriate directory (/home/www/webx/web/), but while testing it, I was able to "cd /" and go to the /home/www/webx directory adn I want to keep them in a level no lower than the web directory.

I have the bin, dev, etc, lib, and usr directories stored in /home/www/webx.

Here is what the user looks like in both passwd files (main and chroot):
testuser:x:10020:100:testuser:/home/www/webx/./web:/bin/bash

Did I overlook something?

Also, I am not able to use WinSCP3 to login with the user. Have you tried using WinSCP with any success? I believe they have a bug within the application???

falko
12th February 2006, 10:23
I have the bin, dev, etc, lib, and usr directories stored in /home/www/webx.
This means that /home/www/webx is the user's root directory. So by typing cd / he should go to /home/www/webx.


Also, I am not able to use WinSCP3 to login with the user. Have you tried using WinSCP with any success? I believe they have a bug within the application???
I'm not quite sure if I tested this, but I think so (maybe I should write a protocol about the things I do... :D ).
Did you try WinSCP in SCP or SFTP mode?

ctroyp
12th February 2006, 22:50
This means that /home/www/webx is the user's root directory. So by typing cd / he should go to /home/www/webx.

Okay, I just didn't want them to see those files...

I'm not quite sure if I tested this, but I think so (maybe I should write a protocol about the things I do... :D ).
Did you try WinSCP in SCP or SFTP mode?

I tried each mode without success. I looked on their site and it seems there is an issue with openssh, but I need to look further. The strange thing is that I can login using WinSCP fine under root. Oh well, I'll figure it out soon enough. Thanks!

savkar
13th February 2006, 13:25
Not sure why SFTP doesn't work. SCP does. I then try both protocols with a non-chroot user and both work.

Falko, is there any reason for this? Does the patch only patch ssh/scp protocols, but not otherwise help wtih SFTP?

Also, separately, would there be anyway to set up SSH with the chroot functionality but with username/password support and quota support all via a mysql database. That is, basically permit virtual users?

I am curious because I'd love to intergrate this in with the rest of the virtual user stuff for my postfix/virtual user setup.

I see you can do something like this using proftpd, but just would love to have the same functionality for ssh...

Sunil

falko
13th February 2006, 17:06
I've never heard of virtual SSH users... I don't think this is possible...

savkar
13th February 2006, 18:17
Too bad. Would be nice, but admittedly more icing on the cake. Could always get to what I wanted with proFTPd if I really wanted it.

Still baffled about sftp not working with the patch. I will try to look at the sources - must be a comment about this someplace.

Sunil

zaqavis
3rd August 2006, 10:17
how configure SCP protocol in linux.

Regards
Qavi

falko
4th August 2006, 13:04
You only need a running SSH daemon on your server. Then you can connect to your server with WinSCP on the SSH port (usually 22).

Soap_Dude
8th August 2006, 05:26
Hi, I get an error below when I try to login in.

/bin/bash: No such file or directory

I can ssh using all but my CHROOTed users.

------------
kernel v2.86

falko
9th August 2006, 15:33
Make sure that you copied /Bin/bash to the users' chroot jails.

Soap_Dude
9th August 2006, 21:40
Hi,

Make sure that you copied /Bin/bash to the users' chroot jails.

Everything's there. I get an error no matter what shell I try to use.

I wonder what is the correct path the my /home/jail/bin/bash

I have
mike:x:1004:1004:mike:/home/jail/./home/mike:/bin/bash
in /etc/passwd and /home/jail/etc/passwd.

Apparently, modifying the /home/jail/etc/passwd file does nothing.

falko
10th August 2006, 18:24
What's the output of ls -la /home/jail/bin?

Soap_Dude
12th August 2006, 09:51
Below's the complete list.


total 2784
drwxr-xr-x 2 root root 4096 2006-08-07 20:02 .
drwxr-xr-x 8 root jail 4096 2006-08-06 02:10 ..
-rwxr-xr-x 1 root root 664084 2006-08-07 19:46 bash
-rwxr-xr-x 1 root root 24728 2006-08-07 19:46 bunzip2
-rwxr-xr-x 1 root root 24728 2006-08-07 19:46 bzcat
-rwxr-xr-x 1 root root 2105 2006-08-07 19:46 bzcmp
-rwxr-xr-x 1 root root 2105 2006-08-07 19:46 bzdiff
-rwxr-xr-x 1 root root 4878 2006-08-07 19:46 bzexe
-rwxr-xr-x 1 root root 24728 2006-08-07 19:46 bzip2
-rwxr-xr-x 1 root root 8140 2006-08-07 19:46 bzip2recover
-rwxr-xr-x 1 root root 1297 2006-08-07 19:46 bzless
-rwxr-xr-x 1 root root 1297 2006-08-07 19:46 bzmore
-rwxr-xr-x 1 root root 32268 2006-08-07 19:46 chgrp
-rwxr-xr-x 1 root root 29480 2006-08-07 19:46 chmod
-rwxr-xr-x 1 root root 34592 2006-08-07 19:46 chown
-rwxr-xr-x 1 root root 55340 2006-08-07 19:46 cp
-rwxr-xr-x 1 root root 76520 2006-08-07 19:46 dir
-rwxr-xr-x 1 root root 14340 2006-08-07 19:46 echo
-rwxr-xr-x 1 root root 11480 2006-08-07 20:02 false
-rwxr-xr-x 1 root root 5248 2006-08-07 19:46 fgconsole
-rwxr-xr-x 1 root root 51840 2006-08-07 19:46 gunzip
-rwxr-xr-x 1 root root 4870 2006-08-07 19:46 gzexe
-rwxr-xr-x 1 root root 51840 2006-08-07 19:46 gzip
-rwxr-xr-x 1 root root 76520 2006-08-07 19:46 ls
-rwxr-xr-x 1 root root 22156 2006-08-07 19:46 mkdir
-rwxr-xr-x 1 root root 5668 2006-08-07 19:46 mktemp
-rwxr-xr-x 1 root root 61436 2006-08-07 19:46 mv
-rwxr-xr-x 1 root root 129792 2006-08-07 19:46 nano
-rwxr-xr-x 1 root root 664084 2006-08-07 19:46 rbash
-rwxr-xr-x 1 root root 32304 2006-08-07 19:46 rm
-rwxr-xr-x 1 root root 13092 2006-08-07 19:46 rmdir
-rwxr-xr-x 1 root root 129792 2006-08-07 19:46 rnano
-rwxr-xr-x 1 root root 13884 2006-08-07 19:46 sleep
-rwxr-xr-x 1 root root 188788 2006-08-07 19:46 tar
-rwxr-xr-x 1 root root 6112 2006-08-07 19:46 tempfile
-rwxr-xr-x 1 root root 32676 2006-08-07 19:46 touch
-rwxr-xr-x 1 root root 51840 2006-08-07 19:46 uncompress
-rwxr-xr-x 1 root root 76520 2006-08-07 19:46 vdir
-rwxr-xr-x 1 root root 884 2006-08-07 19:46 which
-rwxr-xr-x 1 root root 51840 2006-08-07 19:46 zcat
-rwxr-xr-x 1 root root 1974 2006-08-07 19:46 zcmp
-rwxr-xr-x 1 root root 1974 2006-08-07 19:46 zdiff
-rwxr-xr-x 1 root root 1525 2006-08-07 19:46 zforce
-rwxr-xr-x 1 root root 103 2006-08-07 19:46 zless
-rwxr-xr-x 1 root root 3518 2006-08-07 19:46 znew


Below's the error I get. It doesn't matter which host I try to reach.

Last login: Wed Aug 9 12:54:44 2006 from localhost
/bin/bash: No such file or directory
Connection to 127.0.0.1 closed.


Thanks for the speedy replies.

falko
13th August 2006, 19:36
Hm... And what's the output of ls -la /home/jail and ls -la /home/jail/home/mike?

Soap_Dude
15th August 2006, 03:55
/home/jail

total 32
drwxr-xr-x 8 root jail 4096 2006-08-06 02:10 .
drwxr-xr-x 5 root root 4096 2006-08-09 01:44 ..
drwxr-xr-x 2 root root 4096 2006-08-07 20:02 bin
drwxr-xr-x 2 root bin 4096 2006-08-06 02:12 dev
drwxr-xr-x 2 root bin 4096 2006-08-09 12:53 etc
drwxr-xr-x 3 root bin 4096 2006-08-07 19:05 home
drwxr-xr-x 3 root bin 4096 2006-08-07 18:58 lib
drwxr-xr-x 4 root bin 4096 2006-08-06 02:13 usr



/home/jail/home/mike

total 24
drwxr-xr-x 2 root bin 4096 2006-08-07 19:36 .
drwxr-xr-x 3 root bin 4096 2006-08-07 19:05 ..
-rw------- 1 root bin 83 2006-08-07 20:05 .bash_history
-rw-r--r-- 1 root bin 220 2006-08-07 19:05 .bash_logout
-rw-r--r-- 1 root bin 414 2006-08-07 19:05 .bash_profile
-rw-r--r-- 1 root bin 2227 2006-08-07 19:05 .bashrc
lrwxrwxrwx 1 root bin 26 2006-08-07 19:05 Examples -> /usr/share/example-content


So you see bash is there, and that /home/jail/home/mike is indeed set as a user account folder. That's really weird...

falko
16th August 2006, 15:57
Why is /home/jail/home/mike owned by root:bin? It should be owned by mike...

Soap_Dude
17th August 2006, 18:33
Why is /home/jail/home/mike owned by root:bin? It should be owned by mike...

Yeah... I changed that, but still get the same error.

falko
18th August 2006, 14:47
Do you use Debian? Did you follow the tutorial as colse as possible?

Soap_Dude
19th August 2006, 19:09
I use ubuntu, close enough. Yeah, I followed every step, (and in the process accidently wiped out my passwd file, which was extremely stupid, lol).

Anyway, thanks falko. I'll try to figure it out from now on.

seanheng
22nd August 2006, 02:21
hello
Im trying to use the chroot howto but im using f5 i was told to follow it even
tho its for the debian sarge here is where i am stuck i tried substituting yum for apt-get
but it says theres no match for those files

help please

apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh

falko
23rd August 2006, 14:45
Try to find the appropriate packages with yum's search function:
yum search searchstring

dmw555
24th August 2006, 13:34
hello

i im using fc5 with with this rpm installed:
openssl-devel-0.9.8a-5.2
openssl-0.9.8a-5.2

gnu-crypto-2.1.0-1jpp_2fc
gnu-crypto-javadoc-2.1.0-1jpp_2fc
libmcrypt-2.5.7-3.fc5
libgcrypt-1.2.2-1.2.1
beecrypt-4.1.2-9.2.1
mcrypt-2.6.4-2.fc5
cryptsetup-luks-1.0.3-0.rc2
libgcrypt-devel-1.2.2-1.2.1
crypto-utils-2.2-9.2.1

pam_mysql-0.6.2-3.fc5
pam-devel-0.99.4.0-fc5.4
pam_passwdqc-1.0.2-1.2.1
pam_ccreds-3-3.2
pam-0.99.4.0-fc5.4

i try search rpm from howto (libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev) but don't found it.

i just remove all ssh rpm's and install
openssh-4.2p1-chroot.tar.gz
and chroot ssh working ok

it's right ?

which from this (libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev)
necessarily install ?

thank you.

falko
26th August 2006, 00:26
i just remove all ssh rpm's and install
openssh-4.2p1-chroot.tar.gz
and chroot ssh working ok

it's right ?

If it's working, it's ok. :)

seanheng
26th August 2006, 20:32
i still dont get how you get chroot ssh to work with removing all ssh and installing that file

what do i need to do?

how do see what is installed on the system

falko
27th August 2006, 17:19
Did you read dmw555's post?

seanheng
27th August 2006, 19:13
hello falko

yeah i read his post on how he removed all ssh but i dont know how to see what is installed and i used the perfect f5 howto would that interfere with what ive setup using that howto i just need more details on what to do im still learning and need examples i just dont know where to begin

falko
28th August 2006, 10:50
hello

i im using fc5 with with this rpm installed:
openssl-devel-0.9.8a-5.2
openssl-0.9.8a-5.2

gnu-crypto-2.1.0-1jpp_2fc
gnu-crypto-javadoc-2.1.0-1jpp_2fc
libmcrypt-2.5.7-3.fc5
libgcrypt-1.2.2-1.2.1
beecrypt-4.1.2-9.2.1
mcrypt-2.6.4-2.fc5
cryptsetup-luks-1.0.3-0.rc2
libgcrypt-devel-1.2.2-1.2.1
crypto-utils-2.2-9.2.1

pam_mysql-0.6.2-3.fc5
pam-devel-0.99.4.0-fc5.4
pam_passwdqc-1.0.2-1.2.1
pam_ccreds-3-3.2
pam-0.99.4.0-fc5.4
Run
yum install gnu-crypto gnu-crypto-javadoc libmcrypt libgcrypt ...to install those packages.

i just remove all ssh rpm's and install
openssh-4.2p1-chroot.tar.gz
and chroot ssh working ok

Run rpm -q ssh to find out which SSH packages are installed. You can then remove them with
rpm -e packagename

seanheng
28th August 2006, 23:52
ok ive followed what you said from the posting and removed all the ssh
i dont know how to install the chroot ssh into the system
and do i need to configure it somehow to get it to work right?

thanks for taking the time to help

falko
29th August 2006, 21:10
dmw555 wrote it before:


i just remove all ssh rpm's and install
openssh-4.2p1-chroot.tar.gz
and chroot ssh working ok

Have a look at the tutorial. It describes how you install openssh-4.2p1-chroot.tar.gz. :)

seanheng
29th August 2006, 23:12
falko thanks for taking so much time to answer my questions

ive read the post and removed the openssh rpms and i followed all the tutorial on chroot ssh except the libs part for debian and ive gotten to this part and cant go any further

hen we do this:

cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd

You should also copy the line of the group in which you will create new users from /etc/group to /home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:

grep /etc/group -e "^root" -e "^users" > etc/group

and restart SSH:

---> /etc/init.d/ssh restart

it says no file or directory

seanheng
29th August 2006, 23:27
ok managed to get ssh up but heres my problem when i log on with a user it says

/bin/bash: No such file or directory

falko
30th August 2006, 16:37
Please check if /bin/bash is within the chroot jail.

seanheng
30th August 2006, 22:23
falko
yeah theres is dir bin with file bash in the chroot directory

wr19026
30th August 2006, 22:42
It works pretty well, until I get to the point where I need to run the script:

root@bla:/backup/chroot# APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
root@bla:/backup/chroot# for prog in $APPS; do
> cp $prog ./$prog
>
> # obtain a list of related libraries
> ldd $prog > /dev/null
> if [ "$?" = 0 ] ; then
> LIBS=`ldd $prog | awk '{ print $3 }'`
> for l in $LIBS; do
> mkdir -p ./`dirname $l` > /dev/null 2>&1
> cp $l ./$l
> done
> fi
> done
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory

I changed the destination directory to backup/chroot by the way, as I want my users' homedir to be /backup/user1, /backup/user2 etc.

Any suggestions?

seanheng
30th August 2006, 23:24
ive tried everything i can think of

like changing dir

sean:x:500:100:sean:/home/chroot/./chroot/home/sean:/bin/bash

still doesnt work

ive set it up like the the posts on here i removed all the rpm of openssh
and followed the installations of the howto
created a sshd script to run on /etc/init.d/sshd from the openssh4-2..chroot dir

everything is running and all but logon as user and theres no /bin/bash
and they exist in the home/chroot/bin directory

im clueless

falko
31st August 2006, 23:56
What's the output of ls -la /home/chroot? What's in /etc/passwd?

seanheng
1st September 2006, 03:52
this is the output

total 36
drwxr-xr-x 8 root root 4096 Aug 27 17:45 .
drwxr-xr-x 3 root root 4096 Aug 27 17:43 ..
drwxr-xr-x 2 root root 4096 Aug 30 17:11 bin
drwxr-xr-x 2 root root 4096 Aug 27 17:45 dev
drwxr-xr-x 2 root root 4096 Aug 27 17:48 etc
drwxr-xr-x 3 root root 4096 Aug 30 16:56 home
drwxr-xr-x 2 root root 4096 Aug 27 17:47 lib
drwxr-xr-x 4 root root 4096 Aug 27 17:46 usr


in the /etc/passwd is

root:x:0:0:root:/root:/bin/bash
sean:x:500:100:sean:/home/chroot/./home/sean:/bin/bash

seanheng
2nd September 2006, 15:40
anyone else has any ideas?

falko
2nd September 2006, 15:46
What's in /home/chroot/etc/passwd?

seanheng
3rd September 2006, 22:04
this is in /home/chroot/etc/passwd


root:x:0:0:root:/root:/bin/bash
sean:x:500:100:sean:/home/chroot/./home/sean:/bin/bash

falko
3rd September 2006, 23:39
Looks ok, too... I don't have any ideas anymore, in order to help you I'd have to try this myself on Fedora...

seanheng
4th September 2006, 01:41
thanks for trying to help

i cant figure out why either i did exactly from the howto and from the post
unless im suppose to install the openssh-4.2p1-chroot a different way

falko
4th September 2006, 15:32
The tutorial was written for Debian Sarge, so it's possible this doesn't work on Fedora.

zaqavis
7th September 2006, 13:16
Heee guys....
My junior admin, I given him to permission on some command using sudo files.
I want to given his id to change some different home direcotry files i.e (normal edit files) of different home directory users.

HOW..........?

falko
8th September 2006, 18:43
You must edit /etc/sudoers and allow him to use the chmod, chown, etc. commands.

zaqavis
15th September 2006, 08:30
Dear guys,,,,,

I have linux 8.0 and will attach KVM switch (monitor) .... when I give the command (startx) do not shows display , it is out of range.

still command prompt is display .

falko
16th September 2006, 23:22
Dear guys,,,,,

I have linux 8.0What's Linux 8.0? :confused: Which distribution do you use?


and will attach KVM switch (monitor) .... when I give the command (startx) do not shows display , it is out of range.

still command prompt is display .
What's the exact error message? What's in the logs?

zaqavis
19th September 2006, 07:48
ls: /home/chroot: No such file or directory

zaqavis
19th September 2006, 08:57
startx error.

module loader
fatal serve error could not open default font fixed.

fatal IO error connection reset.

Regards
qavi

falko
20th September 2006, 16:37
What are you trying to do? What does X have to do with chrooted SSH? :confused: Can you explain in more detail?

zaqavis
22nd September 2006, 08:43
I m just trying start X windows of linux.

Regards
Qavi

falko
23rd September 2006, 14:41
And how is this related to chrooted SSH? :confused:

rv3000
26th September 2006, 19:05
thanks for trying to help

i cant figure out why either i did exactly from the howto and from the post
unless im suppose to install the openssh-4.2p1-chroot a different way

create_chroot_env.sh script is not universal
check ldd $APP output
i think there r now any libs in jailed /lib directory

wish success

zaqavis
2nd October 2006, 07:37
this is not realted to ssh. I m just ask

falko
3rd October 2006, 17:20
this is not realted to ssh. I m just ask
But this thread is about chrooted SSH. If you question is unrelated to this thread's topic, please open a new one.

Ovidiu
3rd October 2006, 22:39
now here is a related "answer" to this topic :-)

after having successfully installed ruby on rails according to the howto from howtoforge, I wanted to make it available to chrooted users, here are my modifications of the create_chroot_env.sh script:


APPS="/usr/bin/rails /usr/bin/gem /usr/bin/ruby /usr/bin/irb"

mkdir usr/lib/ruby
mkdir usr/lib/ruby/gems
mkdir usr/lib/ruby/gems/1.8
mkdir usr/lib/ruby/gems/1.8/gems
mkdir usr/lib/ruby/gems/1.8/gems/rubygems-update-0.9.0
mkdir usr/lib/ruby/gems/1.8/gems/rubygems-update-0.9.0/lib
mkdir usr/lib/ruby/gems/1.8/gems/rubygems-update-0.9.0/lib/rubygems
mkdir usr/local/lib/site_ruby
mkdir usr/local/lib/site_ruby/1.8
mkdir usr/local/lib/site_ruby/1.8/rubygems


cp -R /usr/lib/ruby/* ./usr/lib/ruby/
cp -R /usr/local/lib/site_ruby/1.8/* ./usr/local/lib/site_ruby/1.8/


keep in mind that these are only things you have to add to your config, not the entire config. If someone can show me errors or redundancies, I mean maybe one can simplify those commands above, please do so.

For me ruby rails gem and irb can be executed by chrooted users.

Ovidiu
4th October 2006, 09:52
here is another problem with the chroot howto, I stumbled upon...
I successfully added perl and sa-learn to the list of apps and I was able to learn my spam and ham with the commandline but now I can't access my Maildir any longer.

-bash-2.05b$ ls -al Maildir
lrwxrwxrwx 1 root root 42 Sep 29 09:28 Maildir -> /var/www/web1/user/web1_postmaster/Maildir
-bash-2.05b$


as root here is the result:
h898552:/var/www/web1/user/web1_postmaster# ls -l Maildir/
total 208
drwxr-xr-x 2 web1_postmaster web1 4096 Jan 1 2000 courierimaphieracl
drwx------ 2 web1_postmaster web1 45056 Oct 4 09:49 courierimapkeywords
-rw-r--r-- 1 web1_postmaster web1 696 Oct 1 16:31 courierimapsubscribed
-rw-r--r-- 1 web1_postmaster web1 9679 Oct 4 09:49 courierimapuiddb
-rw-r--r-- 1 web1_postmaster web1 12453 Sep 24 11:39 courierpop3dsizelist
drwxrwxr-x 2 web1_postmaster web1 65536 Oct 4 09:49 cur
-rw-r--r-- 1 web1_postmaster web1 8625 Sep 6 14:17 maildircache
drwxrwxr-x 2 web1_postmaster web1 45056 Oct 4 09:49 new
drwxrwxr-x 2 web1_postmaster web1 4096 Oct 4 09:49 tmp
h898552:/var/www/web1/user/web1_postmaster#


which seems ok to me, did I do something wrong? I have no clue what I might have changed in the meantime, I am sure it used to work... can someone help me?

falko
4th October 2006, 18:24
but now I can't access my Maildir any longer.

What's the exact error message?

Ovidiu
4th October 2006, 19:10
oops, not a very complete explanation on my side:

login as: web1_postmaster
Using keyboard-interactive authentication.
Password:
Last login: Wed Oct 4 09:46:46 2006 from 86.122.60.4
-bash: cd: /
-bash-2.05b$ ls -al Maildir
lrwxrwxrwx 1 root root 42 Sep 29 09:28 Maildir -> /var/www/web1/user/web1_postmaster/Maildir
-bash-2.05b$ cd Maildir
-bash: cd: Maildir: No such file or directory
-bash-2.05b$


I hope this gives you a complete picture of the problem.

falko
5th October 2006, 16:43
lrwxrwxrwx 1 root root 42 Sep 29 09:28 Maildir -> /var/www/web1/user/web1_postmaster/Maildir
The problem is that the symlink uses an absolute path, and /var/www/web1 doesn't exist in the chroot jail.
You can recreate the symlink with a relative path:
rm -f Maildir
ln -s user/web1_postmaster/Maildir Maildir

Ovidiu
5th October 2006, 18:14
ok but the symlinks are created systemwide, I do not know if by Debian or by the installation of ispconfig.. do you have a clue where they are created as I would like to have the Maildir available for all users...

falko
6th October 2006, 15:02
The symlinks are created by ISPConfig, it's in the file /root/ispconfig/scripts/lib/classes/ispconfig_procmail.lib.php. There must be a line like this one:

$mod->log->phpcaselog(@symlink($web_path."/user/".$user_username."/Maildir", $web_path."/Maildir"), "symlink ".$web_path."/Maildir", $this->FILE, __LINE__);that you must change.

secondsun
12th October 2006, 23:06
Hey Guys,

chroot sshd runs fine for us. (dapper drake)

but we had a seriously error until we run an "psybnc with an ssl-connection to an ircd":
Cannot create SSL-Connection for Socket 7(1) (CONNECT)

This appears in a flood at the psyBNC statuswindow ... and after a few seconds psybnc kills himself.
if we connect psybnc to a "normal" non-ssl server, all works fine.
we have put complete /usr, /lib + /usr/lib to /home/chroot/* .

thanx in advance for any advise

falko
13th October 2006, 16:55
but we had a seriously error until we run an "psybnc with an ssl-connection to an ircd":
Cannot create SSL-Connection for Socket 7(1) (CONNECT)

This appears in a flood at the psyBNC statuswindow ... and after a few seconds psybnc kills himself.

I think you must put the socket into the chroot jail.

secondsun
13th October 2006, 20:35
how can i do this?

falko
14th October 2006, 15:37
Tell psybnc to use a socket that's in the chroot jail. You might also have to create a symlink to make the socket work inside and outside the chroot jail.

secondsun
14th October 2006, 15:49
thats a nice idea but ... how can i do this? :)
in psybnc i can setup ssl path. it is /usr/local/ssl currently.
making a symlink is also a fine idea. but where should it start and where should it end?

thanks for advice.

falko
15th October 2006, 14:14
Where's the socket located currently?

3molo
15th October 2006, 15:31
Hi and thanks for the guides Falko.

I cant get the chroot patch to work although I followed your guide. Im running debian sarge/sid mix. Only difference between your installation process is that I choosed the chroot patch that matches my openssh version, and I assume this is the correct thing to do? :)
I did create all the dirs, copied all the files and changed the passwd entries.
Restarted my sshd after each change I did. also tried the suggested pam entries to be used with the patch (openssh-3.8.1p1-chroot/contrib/sshd.pam.generic).

no result:
test@w00t:~$ pwd
/home/chroot/./home/test

passwd entry in both passwd files:
test:x:1005:1005:,,,:/home/chroot/./home/test:/bin/bash

ls -l /home/chroot/
drwxr-sr-x 2 root staff 1024 Oct 14 17:47 bin
drwxr-sr-x 2 root staff 1024 Oct 14 17:43 dev
drwxr-sr-x 2 root staff 1024 Oct 14 17:50 etc
drwxr-sr-x 3 root staff 1024 Oct 14 17:51 home
drwxr-sr-x 3 root staff 1024 Oct 14 17:49 lib
drwxr-sr-x 5 root staff 1024 Oct 14 17:47 usr

versions:
SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4, openssh-3.8.1p1-chroot.

Any clue? ;)

secondsun
15th October 2006, 16:49
Where's the socket located currently?

Hhow can i check where my socket is running?
I dont know anything about ssl-socks :(

Thanks falko for your endurance.

falko
16th October 2006, 14:59
Hi and thanks for the guides Falko.

I cant get the chroot patch to work although I followed your guide. Im running debian sarge/sid mix. Only difference between your installation process is that I choosed the chroot patch that matches my openssh version, and I assume this is the correct thing to do? :)
I did create all the dirs, copied all the files and changed the passwd entries.
Restarted my sshd after each change I did. also tried the suggested pam entries to be used with the patch (openssh-3.8.1p1-chroot/contrib/sshd.pam.generic).

no result:
test@w00t:~$ pwd
/home/chroot/./home/test

passwd entry in both passwd files:
test:x:1005:1005:,,,:/home/chroot/./home/test:/bin/bash

ls -l /home/chroot/
drwxr-sr-x 2 root staff 1024 Oct 14 17:47 bin
drwxr-sr-x 2 root staff 1024 Oct 14 17:43 dev
drwxr-sr-x 2 root staff 1024 Oct 14 17:50 etc
drwxr-sr-x 3 root staff 1024 Oct 14 17:51 home
drwxr-sr-x 3 root staff 1024 Oct 14 17:49 lib
drwxr-sr-x 5 root staff 1024 Oct 14 17:47 usr

versions:
SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4, openssh-3.8.1p1-chroot.

Any clue? ;)
Can you open a new thread for this? Otherwise this one will become too confusing...

falko
16th October 2006, 15:00
Hhow can i check where my socket is running?
I dont know anything about ssl-socks :(

Isn't there a configuration file for psybnc? Or an init script? I think that the socket is specified in one of them.

secondsun
16th October 2006, 15:16
from configfile (psybnc):
/* The Path to SSL */
#define SSLPATH "/usr/local/ssl/"

i dont have this folder and i dont know where i can find the SSLPATH for my ubuntu system.
ssl is installed, running psybnc out of chroot works fine.

falko
17th October 2006, 17:38
from configfile (psybnc):
/* The Path to SSL */
#define SSLPATH "/usr/local/ssl/"

i dont have this folder and i dont know where i can find the SSLPATH for my ubuntu system.
ssl is installed, running psybnc out of chroot works fine.
This doesn't tell anything about the sock file.
What's the output of
updatedb
locate sockwhen psybnc is running?

secondsun
17th October 2006, 18:42
http://www.ubuntuusers.de/paste/4374/

ive cutted all the psybnc outputs/path's, there are the same as line 1-9

falko
18th October 2006, 16:49
I'm not sure if the socket is in that output. Maybe it doesn't have the string "socket" in its name...
Anyway, let's assume the socket was /tmp/example.sock. Then you can chroot it like this:

Stop psybnc, then create a symbolic link:
ln -s /home/chroot/tmp/example.sock /tmp/example.sock
Then start psybnc. Now psybnc should work inside and outside the chroot jail.

Kanedo
28th January 2007, 21:42
I had this same error "/bin/bash: No such file or dirctory" that many others on getting on this thread. The actual reason for this error isn't that /bin/bash is missing in your chrooted directory. It's a library dependency that /bin/bash is missing. Using the script in the how-to didn't resolve to copy all of the dependent libraries needed by /bin/bash to your chrooted directory. To find out which ones are missing, you start by doing a 'ldd /bin/bash';

> ldd /bin/bash
libtermcap.so.2 => /lib/libtermcap.so.2
libdl.so.2 => /lib/libdl.so.2
libc.so.6 => /lib/tls/libc.so.6
/lib/ld-linux.so.2

then you go down that list and see if they're in you chrooted dir.


> ls /home/chroot/lib/libtermcap.so.2
/home/chroot/lib/libtermcap.so.2

> ls /home/chroot/lib/libdl.so.2
/home/chroot/lib/libdl.so.2

> ls /home/chroot/lib/tls/libc.so.6
/home/chroot/lib/tls/libc.so.6

> ls /home/chroot/lib/lib/ld-linux.so.2
ls: /home/chroot/lib/lib/ld-linux.so.2: No such file or directory


As it turned out, I was missing "/lib/ld-linux.so.2" in my chrooted directory. Copying that to my chrooted dir fixed my problem. I've only tested this on a CentOS 4.4 installation, but this might work for others as well.

I hope this solves your problem

Ovidiu
7th February 2007, 10:40
still having some issues regarding ruby and gem, here is what I am trying to do:

gem install rmagick
Attempting local installation of 'rmagick'
Local gem file not found: rmagick*.gem
Attempting remote installation of 'rmagick'
Updating Gem source index for: http://gems.rubyforge.org
ERROR: While executing gem ... (Errno::EACCES)
Permission denied - /usr/lib/ruby/gems/1.8/cache/rmagick-1.15.2.gem

I want to allow the client to install a new gem - besides the fact that it does not work, would this be safe? If so, how can I allow this and get rid of the Permission denied error?

###edit###
partially solved this. as far as I found out, every page I found was only stating that imagemagick6 was required, but after instaling imagemagick6-dev gem install rmagick worked too :-)

pootle
24th February 2007, 12:36
I had this same error "/bin/bash: No such file or dirctory" that many others on getting on this thread. The actual reason for this error isn't that /bin/bash is missing in your chrooted directory. It's a library dependency that /bin/bash is missing. Using the script in the how-to didn't resolve to copy all of the dependent libraries needed by /bin/bash to your chrooted directory. To find out which ones are missing, you start by doing a 'ldd /bin/bash';

> ldd /bin/bash
libtermcap.so.2 => /lib/libtermcap.so.2
libdl.so.2 => /lib/libdl.so.2
libc.so.6 => /lib/tls/libc.so.6
/lib/ld-linux.so.2

then you go down that list and see if they're in you chrooted dir.


> ls /home/chroot/lib/libtermcap.so.2
/home/chroot/lib/libtermcap.so.2

> ls /home/chroot/lib/libdl.so.2
/home/chroot/lib/libdl.so.2

> ls /home/chroot/lib/tls/libc.so.6
/home/chroot/lib/tls/libc.so.6

> ls /home/chroot/lib/lib/ld-linux.so.2
ls: /home/chroot/lib/lib/ld-linux.so.2: No such file or directory


As it turned out, I was missing "/lib/ld-linux.so.2" in my chrooted directory. Copying that to my chrooted dir fixed my problem. I've only tested this on a CentOS 4.4 installation, but this might work for others as well.

I hope this solves your problem


I confirm this is the same problem on suse 10.2 my friend has been helping me set this up and I too ended up with /bin/bash errors. When we copied the /lib/ld-linux.so.2 file over it worked, it wasn't until we came back here we found this post :)!

So What script to we need to edit/patch to make sure this is copied over everytime a new user is created. I'd also like to add the bash.rc file as well so it looks nicer when logged in. I'm new to ISPConfig so I don't know which files need hacking up.

THanks pootle.

pootle
24th February 2007, 13:10
its ok i've found it..

its under ispconfig/scripts/shell/create_chroot_env.sh

so I can edit what I want in there.

I'm going to look if its possible to set up SCP and SFTP now to transfer data to the domains rather than use FTP as it gives the encryption security.

Is it worth doing this or do people believe proftp is secure enough?

till
24th February 2007, 13:33
Is it worth doing this or do people believe proftp is secure enough?

Most poeple prefer to use FTP because tools like dreamweaver does not support SCP. Also you can enable proftpd to use TLS which secures the connection with SSL.

pootle
24th February 2007, 14:14
Most poeple prefer to use FTP because tools like dreamweaver does not support SCP. Also you can enable proftpd to use TLS which secures the connection with SSL.

Ah I didn't know you could secure proftpd :( is there any tutorials on here that explain how to do that for ISPConfig using the certificates that have been generated.

I've got SFTP working under chroot jail now but it looks like that might be point less if i have proftpd running with the certificate.

Thanks for you reply till.