SSH Users CHROOT

[falko]

I installed a chrooted SSH yesterday on Debian Sarge, it will go into a small howto in the next days, but basically this is how I did it:

Let's say your chroot will be in /home/chroot, and you have a user admin (whom we want ot give chrooted SSH access) in /etc/password like that:

Code:

admin:x:1000:1000:admin,,,:/home/admin:/bin/bash

Change that line to

Code:

admin:x:1000:1000:admin,,,:/home/chroot/./home/admin:/bin/bash

The dot in /home/chroot/./home/admin is important so that OpenSSH knows that this user should be chrooted.

Now we install a new OpenSSH with chroot capabilities:

Code:

cd /tmp
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure -s
make
make install
cd ..

apt-get install libpam0g-dev
wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install

Afterwards, we create the chroot environment:

Code:

mkdir /home/chroot/
mkdir -p /home/chroot/home/admin
chown admin:admin /home/chroot/home/admin

cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

Then run the following commands on your shell:

Code:

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done

Finally do this:

Code:

cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
touch etc/passwd
grep /etc/passwd -e "^root" -e "^admin" > etc/passwd
grep /etc/group -e "^root" -e "^admin" > etc/group
#grep admin /etc/passwd >> /home/chroot/etc/passwd
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
/etc/init.d/ssh restart

Now you can login as admin, and admin should be chrooted.

[danf.1979]

Is the admin root? I need this feature cause in the future I'll be managing my server remotely through ssh (me and server = diferent city)

[falko]

No, admin is the name of the user and not a placeholder for root. Replace admin with your own usernames. And don't try to chroot root, that makes no sense!

[magikern]

Code:

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done

this code gives me alot of errors:

Quote:

cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot create regular file «.//usr/lib/i686/cmov/libcrypto.so.0.9.8»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog
cp: cannot stat «(0xffffe000)»: Ingen slik fil eller filkatalog

PS: I run a Norwegian locale and "Ingen slik fil eller filkatalog" translates to "no such file or folder".

If i run "ldd /bin/bash" I get:

Quote:

ldd /bin/bash
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7f07000)
libdl.so.2 => /lib/tls/libdl.so.2 (0xb7f03000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7dcc000)
/lib/ld-linux.so.2 (0xb7f55000)

When I tried to log on with the new user ,after following your guide, the console just hangs right after typing the password, but "who" and "ps aux | grep testuser" tells me that the user is logged on.

"chroot /home/chroot /bin/bash" dies with the message:

Quote:

chroot: cannot run command `/bin/bash': No such file or directory

i run a Debian Sarge with kernel 2.6.12

[falko]

Do the programs listed in the APPS line (/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping) exist on your system?

You could change

Code:

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done

to

Code:

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                        echo "cp $l ./$l"
                done
        fi
done

to see what happens actually.

[magikern]

Now I got a hole bunch of "permisson denied" messages?

Quote:

cp: cannot create regular file `.//bin/bash': Permission denied
cp: cannot stat `(0xffffe000)': No such file or directory
cp (0xffffe000) ./(0xffffe000)
cp: cannot create regular file `.//lib/libncurses.so.5': Permission denied
cp /lib/libncurses.so.5 .//lib/libncurses.so.5
cp: cannot create regular file `.//lib/tls/libdl.so.2': Permission denied
cp /lib/tls/libdl.so.2 .//lib/tls/libdl.so.2
cp: cannot create regular file `.//lib/tls/libc.so.6': Permission denied
cp /lib/tls/libc.so.6 .//lib/tls/libc.so.6
cp: cannot create regular file `.//bin/ls': Permission denied
cp: cannot stat `(0xffffe000)': No such file or directory
cp (0xffffe000) ./(0xffffe000)
cp: cannot create regular file `.//lib/tls/librt.so.1': Permission denied
cp /lib/tls/librt.so.1 .//lib/tls/librt.so.1
cp: cannot create regular file `.//lib/libacl.so.1': Permission denied
cp /lib/libacl.so.1 .//lib/libacl.so.1
cp: cannot create regular file `.//lib/tls/libc.so.6': Permission denied
cp /lib/tls/libc.so.6 .//lib/tls/libc.so.6
cp: cannot create regular file `.//lib/tls/libpthread.so.0': Permission denied
cp /lib/tls/libpthread.so.0 .//lib/tls/libpthread.so.0

++ many more

[falko]

I think this is the problem:

Code:

cp /lib/libncurses.so.5 .//lib/libncurses.so.5

There's one slash too much.

Please change the script to

Code:

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l .$l
                        echo "cp $l .$l"
                done
        fi
done

[mchow]

The reason for "cp: cannot create regular file..." errors is because mkdir can't create directories more than 2 levels deep. You have to change the line to "mkdir -p" and then everything will work. I think you can ignore the "cp: cannot stat `(0xffffe000)' messages.

Code:

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS; do
    cp $prog ./$prog
    # obtain a list of related libraries
     ldd $prog > /dev/null
     if [ "$?" = 0 ] ; then
         LIBS=`ldd $prog | awk '{ print $3 }'`
         for l in $LIBS; do
              mkdir -p ./`dirname $l` > /dev/null 2>&1
              cp $l ./$l
         done
     fi
 done

[jannoke]

I got it working. figured out the script problem and my result was:
2x cp change adding --parents parameter to copy with full path and added "grep -v \(" to exclude lines which have ( in them (since libs shouldn't have them in their path).

Code:

APPS="/bin/env /usr/bin/wget /usr/bin/ftp /usr/bin/ldd /sbin/ldconfig /usr/bin/dig /bin/traceroute /usr/bin/host /bin/sh /bin/grep /bin/cat /bin/vi /bin/gzip
/bin/gunzip /usr/bin/mc /bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS;  do
echo "===========";
echo $prog;
#sleep 1
    cp $prog ./ --parents

    # obtain a list of related libraries
    ldd $prog > /dev/null
    if [ "$?" = 0 ] ; then
    LIBS=`ldd $prog | awk '{ print $3 }' | grep -v \(`
    echo $LIBS
    for l in $LIBS; do
        #mkdir -p ./`dirname $l` > /dev/null 2>&1
        cp $l ./ --parents
    done
fi
done

my problem is that using ping (or traceroute) it returns host not found or some other resolving failure.
dig works, and pinging numeric ip's work.
also ssh works connecting by ip address but not by name.

i have copied
/etc/host.conf
/etc/hosts
/etc/nsswitch.conf
/etc/localtime
/etc/resolve.conf
also to their chroot locations, but still no luck.

it does reads hosts file , I tested that.
but doesn't seem to do dns lookups

[falko]

It's /etc/resolv.conf, not /etc/resolve.conf.