Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 24th December 2005, 12:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

I installed a chrooted SSH yesterday on Debian Sarge, it will go into a small howto in the next days, but basically this is how I did it:

Let's say your chroot will be in /home/chroot, and you have a user admin (whom we want ot give chrooted SSH access) in /etc/password like that:

Code:
admin:x:1000:1000:admin,,,:/home/admin:/bin/bash
Change that line to
Code:
admin:x:1000:1000:admin,,,:/home/chroot/./home/admin:/bin/bash
The dot in /home/chroot/./home/admin is important so that OpenSSH knows that this user should be chrooted.

Now we install a new OpenSSH with chroot capabilities:

Code:
cd /tmp
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure -s
make
make install
cd ..

apt-get install libpam0g-dev
wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install
Afterwards, we create the chroot environment:

Code:
mkdir /home/chroot/
mkdir -p /home/chroot/home/admin
chown admin:admin /home/chroot/home/admin

cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
Then run the following commands on your shell:
Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done
Finally do this:
Code:
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
touch etc/passwd
grep /etc/passwd -e "^root" -e "^admin" > etc/passwd
grep /etc/group -e "^root" -e "^admin" > etc/group
#grep admin /etc/passwd >> /home/chroot/etc/passwd
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
/etc/init.d/ssh restart
Now you can login as admin, and admin should be chrooted.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Sponsored Links
  #12  
Old 24th December 2005, 20:49
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Is the admin root? I need this feature cause in the future I'll be managing my server remotely through ssh (me and server = diferent city)
Reply With Quote
  #13  
Old 25th December 2005, 13:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

No, admin is the name of the user and not a placeholder for root. Replace admin with your own usernames. And don't try to chroot root, that makes no sense!
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #14  
Old 18th February 2006, 17:43
magikern magikern is offline
Junior Member
 
Join Date: Feb 2006
Location: Oslo - Norway
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Question

Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done
this code gives me alot of errors:

Quote:
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot create regular file «.//usr/lib/i686/cmov/libcrypto.so.0.9.8»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
PS: I run a Norwegian locale and "Ingen slik fil eller filkatalog" translates to "no such file or folder".

If i run "ldd /bin/bash" I get:
Quote:
ldd /bin/bash
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7f07000)
libdl.so.2 => /lib/tls/libdl.so.2 (0xb7f03000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7dcc000)
/lib/ld-linux.so.2 (0xb7f55000)
When I tried to log on with the new user ,after following your guide, the console just hangs right after typing the password, but "who" and "ps aux | grep testuser" tells me that the user is logged on.

"chroot /home/chroot /bin/bash" dies with the message:
Quote:
chroot: cannot run command `/bin/bash': No such file or directory
i run a Debian Sarge with kernel 2.6.12
Reply With Quote
  #15  
Old 18th February 2006, 18:49
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Do the programs listed in the APPS line (/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping) exist on your system?

You could change

Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done
to

Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                        echo "cp $l ./$l"
                done
        fi
done
to see what happens actually.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #16  
Old 19th February 2006, 01:17
magikern magikern is offline
Junior Member
 
Join Date: Feb 2006
Location: Oslo - Norway
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Now I got a hole bunch of "permisson denied" messages?
Quote:
cp: cannot create regular file `.//bin/bash': Permission denied
cp: cannot stat `(0xffffe000)': No such file or directory
cp (0xffffe000) ./(0xffffe000)
cp: cannot create regular file `.//lib/libncurses.so.5': Permission denied
cp /lib/libncurses.so.5 .//lib/libncurses.so.5
cp: cannot create regular file `.//lib/tls/libdl.so.2': Permission denied
cp /lib/tls/libdl.so.2 .//lib/tls/libdl.so.2
cp: cannot create regular file `.//lib/tls/libc.so.6': Permission denied
cp /lib/tls/libc.so.6 .//lib/tls/libc.so.6
cp: cannot create regular file `.//bin/ls': Permission denied
cp: cannot stat `(0xffffe000)': No such file or directory
cp (0xffffe000) ./(0xffffe000)
cp: cannot create regular file `.//lib/tls/librt.so.1': Permission denied
cp /lib/tls/librt.so.1 .//lib/tls/librt.so.1
cp: cannot create regular file `.//lib/libacl.so.1': Permission denied
cp /lib/libacl.so.1 .//lib/libacl.so.1
cp: cannot create regular file `.//lib/tls/libc.so.6': Permission denied
cp /lib/tls/libc.so.6 .//lib/tls/libc.so.6
cp: cannot create regular file `.//lib/tls/libpthread.so.0': Permission denied
cp /lib/tls/libpthread.so.0 .//lib/tls/libpthread.so.0
++ many more
Reply With Quote
  #17  
Old 19th February 2006, 12:26
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

I think this is the problem:
Code:
cp /lib/libncurses.so.5 .//lib/libncurses.so.5
There's one slash too much.

Please change the script to

Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l .$l
                        echo "cp $l .$l"
                done
        fi
done
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #18  
Old 17th March 2006, 05:11
mchow mchow is offline
Junior Member
 
Join Date: Mar 2006
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

The reason for "cp: cannot create regular file..." errors is because mkdir can't create directories more than 2 levels deep. You have to change the line to "mkdir -p" and then everything will work. I think you can ignore the "cp: cannot stat `(0xffffe000)' messages.

Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS; do
    cp $prog ./$prog
    # obtain a list of related libraries
     ldd $prog > /dev/null
     if [ "$?" = 0 ] ; then
         LIBS=`ldd $prog | awk '{ print $3 }'`
         for l in $LIBS; do
              mkdir -p ./`dirname $l` > /dev/null 2>&1
              cp $l ./$l
         done
     fi
 done

Last edited by mchow; 17th March 2006 at 07:42.
Reply With Quote
  #19  
Old 31st July 2006, 13:37
jannoke jannoke is offline
Junior Member
 
Join Date: Jul 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Red face

I got it working. figured out the script problem and my result was:
2x cp change adding --parents parameter to copy with full path and added "grep -v \(" to exclude lines which have ( in them (since libs shouldn't have them in their path).

Code:
APPS="/bin/env /usr/bin/wget /usr/bin/ftp /usr/bin/ldd /sbin/ldconfig /usr/bin/dig /bin/traceroute /usr/bin/host /bin/sh /bin/grep /bin/cat /bin/vi /bin/gzip
/bin/gunzip /usr/bin/mc /bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS;  do
echo "===========";
echo $prog;
#sleep 1
    cp $prog ./ --parents

    # obtain a list of related libraries
    ldd $prog > /dev/null
    if [ "$?" = 0 ] ; then
    LIBS=`ldd $prog | awk '{ print $3 }' | grep -v \(`
    echo $LIBS
    for l in $LIBS; do
        #mkdir -p ./`dirname $l` > /dev/null 2>&1
        cp $l ./ --parents
    done
fi
done
my problem is that using ping (or traceroute) it returns host not found or some other resolving failure.
dig works, and pinging numeric ip's work.
also ssh works connecting by ip address but not by name.

i have copied
/etc/host.conf
/etc/hosts
/etc/nsswitch.conf
/etc/localtime
/etc/resolve.conf
also to their chroot locations, but still no luck.

it does reads hosts file , I tested that.
but doesn't seem to do dns lookups
Reply With Quote
  #20  
Old 1st August 2006, 12:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
 
Default

It's /etc/resolv.conf, not /etc/resolve.conf.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind chroot configuration Toffee Installation/Configuration 6 13th March 2009 15:51
users dir Alias Conflicts TheDanMan General 4 12th December 2007 10:21
Website users? ctroyp General 25 6th January 2006 18:02
Real System users exy123 General 2 12th December 2005 10:01
Chroot FTP users olli Server Operation 3 25th April 2005 11:35


All times are GMT +2. The time now is 05:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.