#1  
Old 30th September 2009, 23:49
rbees rbees is offline
Junior Member
 
Join Date: May 2009
Posts: 3
Thanks: 0
Thanked 1 Time in 1 Post
Default Can't get chroot jail to work

Ladies & Gents

I have been trying to set up a chroot jail for some ssh users. I have been using this how-to http://www.howtoforge.org/chrooted-s...l-debian-lenny
I tried an earlier one from the same author and didn't have success either.

I am at this point.

I am able to login as the "testuser" provided that I change the sshd_config and comment out the settings for "testuser".

The error is
Code:
:~$ ssh testuser@kingbee
Debian GNU/Linux squeeze/sid
testuser@kingbee's password:
/bin/bash: Permission denied
Connection to kingbee closed.
:~$
The auth.log contains
Code:
Sep 29 18:07:56 Kingbee sshd[25831]: Connection from 127.0.1.1 port 33898
Sep 29 18:07:56 Kingbee sshd[25831]: Failed none for testuser from 127.0.1.1 port 33898 ssh2
Sep 29 18:08:01 Kingbee sshd[25831]: Accepted password for testuser from 127.0.1.1 port 33898 ssh2
Sep 29 18:08:01 Kingbee sshd[25831]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Sep 29 18:08:01 Kingbee sshd[25839]: Changed root directory to "/home"
Sep 29 18:08:01 Kingbee sshd[25831]: User child is on pid 25839
Sep 29 18:08:01 Kingbee sshd[25831]: pam_unix(sshd:session): session closed for user testuser
So far nothing I have tried has helped.

There were 2 entries in /home/etc/passwd & shadow in the jail for "testuser". The first one I think was a left over from the first attempt, so I deleted them. That didn't change things.

The /etc/passwd only contain one line for "testuser" and it looks like this
Code:
testuser:x:1002:1003::/home/home/testuser:/bin/bash
the one in the jail /home/etc/passwd looks like
Code:
testuser:x:1002:1003::/home/testuser:/bin/bash
The only difference I see is that the home directory is different and points inside the jail from outside.

The permissions on /home/testuser are drwx------(700) and all the files and folders in it are owned by testuser.

The script that builds the jail comes form http://www.fuschlberger.net/programs...p-chroot-jail/ and talks about pam causing login problems.
Quote:
If you cannot log in (for example on Debian Sarge) and see a warning like "su: Module is unknown" then comment out the following line from $JAIL/etc/pam.d/su:

#session required pam_limits.so

After that logging in will work, although I can't explain why the module in $JAIL/lib/security/ is not found and used.
But I don't have /home/jail/etc/pam.d/su I have the folder but not the file. But my error says nothing about a module. I do have /home/etc/pam.d/su and the above is commented out.

I am able to manually enter the jail as root.

Thanks for any advice you can give me.
Reply With Quote
Sponsored Links
  #2  
Old 1st October 2009, 18:16
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

What'S your jail directory? /home, /home/jail, or something else?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 1st October 2009, 20:46
rbees rbees is offline
Junior Member
 
Join Date: May 2009
Posts: 3
Thanks: 0
Thanked 1 Time in 1 Post
Default

Thanks falko,

The jail is as built by the script you reference. /home I made no changes to the script as downloaded. I have discovered that for some reason the script set the permissions on the links and files as 700 and 600 instead of 755 and 644.

I have gone through the files and folders and set the permissions as they are on my Debian Squeeze amd64 install. I may have missed something though.

Then I ran into a different problem with sftp and the user not being recognized. I fixed that by setting the permissions it /etc/passwd & shadow.

Now I get what looks like a half login? At least the cursor goes to the next line and I can enter text & some commands but pressing return only sends the cursor to the next line or closes the connection.

My install is an upgrade form Lenny when it was testing. When the repos opened for testing squeeze I upgraded. So it has never really run stable.

There is a directory /home/jail with some of a root file system in it but it is very limited. Not sure how it got there.

This is what /var/log/auth.log shows
Code:
Oct  1 13:34:08 Kingbee sshd[7153]: Connection from 127.0.1.1 port 49251
Oct  1 13:34:08 Kingbee sshd[7153]: Failed none for testuser from 127.0.1.1 port 49251 ssh2
Oct  1 13:34:11 Kingbee sshd[7153]: Accepted password for testuser from 127.0.1.1 port 49251 ssh2
Oct  1 13:34:11 Kingbee sshd[7153]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Oct  1 13:34:11 Kingbee sshd[7161]: Changed root directory to "/home"
Oct  1 13:34:11 Kingbee sshd[7153]: User child is on pid 7161
Oct  1 13:34:24 Kingbee sshd[7153]: pam_unix(sshd:session): session closed for user testuser
kingbee@Kingbee:~$
A quick look through the other log files shows nothing else.

Any ideas?

Thanks
Reply With Quote
  #4  
Old 3rd October 2009, 00:19
rbees rbees is offline
Junior Member
 
Join Date: May 2009
Posts: 3
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

mostly SOLVED

check this for more detail

http://www.linuxquestions.org/questi...7/#post3705048
Reply With Quote
The Following User Says Thank You to rbees For This Useful Post:
falko (3rd October 2009)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Writable SFTP Chroot Jail? danieljdoughty Server Operation 4 6th September 2009 03:27
Remoting frame work work with version 2.32 ??? afandino Developers' Forum 7 8th June 2009 17:23
Improper use of CHROOT enviroment X secure file transfer between customer and admin. adrenalinic Installation/Configuration 1 21st December 2008 22:48
Postfix chroot ? knivla Server Operation 9 21st July 2007 07:35
chroot in debian doesnt work. 3molo HOWTO-Related Questions 2 20th October 2006 12:32


All times are GMT +2. The time now is 00:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.