Chrooted functionality?

Discussion in 'General' started by ctroyp, Jul 18, 2006.

  1. ctroyp

    ctroyp HowtoForge Supporter

    I have successfully upgraded to version 2.2.5 and just tested the chroot function. I logged in using a non-admin user and was able to access higher levels above the user's jailed directory. I could get all the way up to root. :eek: Is this not a security issue? What do I need to do?
     
  2. till

    till Super Moderator

  3. ctroyp

    ctroyp HowtoForge Supporter

  4. ctroyp

    ctroyp HowtoForge Supporter

  5. edge

    edge HowtoForge Supporter

    I'm having the same problem with an updated server!

    When I install ISPconfig on a clean Debian system (I love VMware) it's working fine!

    *** Edit ***

    I'm wrong.. It's also working on the old system... So I'm not having any problems.. All I needed was a SSH restart
     
    Last edited: Jul 18, 2006
  6. till

    till Super Moderator

    Did you enable SSH chrooting in ISPConfigs config.inc.php file?

     
  7. ctroyp

    ctroyp HowtoForge Supporter

    Yes, from /home/admispconfig/ispconfig/scripts/config.inc.php .
     
  8. falko

    falko Super Moderator

    Did you restart SSH?
     
  9. ctroyp

    ctroyp HowtoForge Supporter

    Yes, but I get the following:
    Code:
    [root@server2 ~]# /etc/init.d/sshd restart
    Stopping sshd:                                             [  OK  ]
    Starting sshd: /etc/ssh/sshd_config line 74: Unsupported option GSSAPIAuthentication
    /etc/ssh/sshd_config line 76: Unsupported option GSSAPICleanupCredentials
                                                               [  OK  ]
     
  10. falko

    falko Super Moderator

    What's in /etc/ssh/sshd_config? Did you change that file?
     
  11. ctroyp

    ctroyp HowtoForge Supporter

    No sir, I did not change anything manually. But I am wondering if this has anything to do with running your chrooted how-to in the past and if the updated ISPConfig chroot function is conflicting with it. Here are the contents:
    Code:
    #	$OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    #Port 22
    #Protocol 2,1
    Protocol 2
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768
    
    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile	.ssh/authorized_keys
    
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    
    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    GSSAPICleanupCredentials yes
    
    # Set this to 'yes' to enable PAM authentication, account processing, 
    # and session processing. If this is enabled, PAM authentication will 
    # be allowed through the ChallengeResponseAuthentication mechanism. 
    # Depending on your PAM configuration, this may bypass the setting of 
    # PasswordAuthentication, PermitEmptyPasswords, and 
    # "PermitRootLogin without-password". If you just want the PAM account and 
    # session checks to run without PAM authentication, then enable this but set 
    # ChallengeResponseAuthentication=no
    #UsePAM no
    UsePAM yes
    
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression yes
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #ShowPatchLevel no
    
    # no default banner path
    #Banner /some/path
    
    # override default of no subsystems
    Subsystem	sftp	/usr/libexec/openssh/sftp-server
    
     
  12. falko

    falko Super Moderator

    Which distribution do you use? I wrote the tutorial for Debian so if you use another distribution that might be the problem.

    Anyway, comment out this line:
    Code:
    GSSAPIAuthentication yes
    and restart the SSH daemon.
     
  13. ctroyp

    ctroyp HowtoForge Supporter

    The distro is Fedora Core 4.

    I did what you recommended and still no luck.

    When I try using PuTTy, I login and is simply closes the interface without error. This usually happens when I do not specify the BASH shell in the /etc/passwd file, but this is not the case. Each user has BASH specified.

    I noticed that only a couple web users are in the replicated webx/etc/passwd file. Wouldn't this be a problem? I created a new user and looked to see if they were copied to the webx/etc/passwd file and they were not.
     
    Last edited: Jul 21, 2006
  14. ctroyp

    ctroyp HowtoForge Supporter

  15. falko

    falko Super Moderator

    Has the error message changed?

    I think the problem is this:

    Code:
    tar xvfz openssh-4.2p1-chroot.tar.gz
    cd openssh-4.2p1-chroot
    ./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
    make
    make install
    I guess you need to change the ./configure statement so that it suits to Fedora. You can find out about available configuration paramters by running
    Code:
    ./configure --help
     
  16. ctroyp

    ctroyp HowtoForge Supporter

    So before I run the ./configure command for Fedora, can you think of anything that I need to do with the current sshd config?
     
  17. AlecWeb

    AlecWeb New Member

    I had the same problem as you. (but with CentOS)

    It seems the /root/ispconfig/scripts/shell/create_chroot_env.sh is not good enough for FC/CentOS. It doens't copy all the needed files to run /bin/bash Just add the last 5 lines to your create_chroot_env.sh

    It should work. But I was unable to test it, because I get segmentation faults now.

    Code:
    #!/bin/bash
    
    #
    # Usage: ./create_chroot_env username
    #
    
    # Here specify the apps you want into the enviroment
    APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/zip /bin/tar /usr/bin/dircolors"
    
    # Sanity check
    if [ "$1" = "" ] ; then
            echo "    Usage: ./create_chroot_env username"
            exit
    fi
    
    # Obtain username and HomeDir
    CHROOT_USERNAME=$1
    HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"  | cut -d':' -f 6`
    cd $HOMEDIR
    
    # Create Directories no one will do it for you
    mkdir etc
    mkdir bin
    mkdir usr
    mkdir usr/bin
    
    # Create short version to /usr/bin/groups
    # On some system it requires /bin/sh, which is generally unnessesary in a chroot cage
    
    echo "#!/bin/bash" > usr/bin/groups
    echo "id -Gn" >> usr/bin/groups
    
    # Add some users to ./etc/paswd
    grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
    grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group
    
    # Copy the apps and the related libs
    for prog in $APPS;  do
            cp $prog ./$prog
    
            # obtain a list of related libraryes
            ldd $prog > /dev/null
            if [ "$?" = 0 ] ; then
                    LIBS=`ldd $prog | awk '{ print $3 }'`
                    for l in $LIBS; do
                            mkdir ./`dirname $l` > /dev/null 2>&1
                            cp $l ./$l
                    done
            fi
    done
    
    # From some strange reason these 3 libraries are not in the ldd output, but without them
    # some stuff will not work, like usr/bin/groups
    cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
    
    #ADDED by AlecWeb for CentOS 4.3 support.
    #Special thanks to http://ymettier.free.fr/articles_lmag/lmag54_chroot/lmag54_chroot.html
    cp /lib/libc.so* ./lib/
    cp /lib/libc-* ./lib/
    cp /lib/ld* ./lib/
    
     
  18. falko

    falko Super Moderator

    Leave it untouched and try to find the right ./configure command.
     
  19. ctroyp

    ctroyp HowtoForge Supporter

    Well, it looks to me like the ./configure statement takes the same options as Debian.. I used (wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz) for this install. Should i be getting it from RedHat instead?

    Code:
    [root@server2 openssh-4.2p1-chroot]# ./configure --help
    `configure' configures OpenSSH Portable to adapt to many kinds of systems.
    
    Usage: ./configure [OPTION]... [VAR=VALUE]...
    
    To assign environment variables (e.g., CC, CFLAGS...), specify them as
    VAR=VALUE.  See below for descriptions of some of the useful variables.
    
    Defaults for the options are specified in brackets.
    
    Configuration:
      -h, --help              display this help and exit
          --help=short        display options specific to this package
          --help=recursive    display the short help of all the included packages
      -V, --version           display version information and exit
      -q, --quiet, --silent   do not print `checking...' messages
          --cache-file=FILE   cache test results in FILE [disabled]
      -C, --config-cache      alias for `--cache-file=config.cache'
      -n, --no-create         do not create output files
          --srcdir=DIR        find the sources in DIR [configure dir or `..']
    
    Installation directories:
      --prefix=PREFIX         install architecture-independent files in PREFIX
                              [/usr/local]
    [B]  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                              [PREFIX][/B]
    
    By default, `make install' will install all the files in
    `/usr/local/bin', `/usr/local/lib' etc.  You can specify
    an installation prefix other than `/usr/local' using `--prefix',
    for instance `--prefix=$HOME'.
    
    For better control, use the options below.
    
    Fine tuning of the installation directories:
      --bindir=DIR           user executables [EPREFIX/bin]
      --sbindir=DIR          system admin executables [EPREFIX/sbin]
      --libexecdir=DIR       program executables [EPREFIX/libexec]
      --datadir=DIR          read-only architecture-independent data [PREFIX/share]
    [B]  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc][/B]
      --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
      --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
      --libdir=DIR           object code libraries [EPREFIX/lib]
      --includedir=DIR       C header files [PREFIX/include]
      --oldincludedir=DIR    C header files for non-gcc [/usr/include]
      --infodir=DIR          info documentation [PREFIX/info]
      --mandir=DIR           man documentation [PREFIX/man]
    
    System types:
      --build=BUILD     configure for building on BUILD [guessed]
      --host=HOST       cross-compile to build programs to run on HOST [BUILD]
    
    Optional Features:
      --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
      --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
      --disable-largefile     omit support for large files
      --disable-strip         Disable calling strip(1) on install
      --disable-etc-default-login Disable using PATH from /etc/default/login no
      --disable-lastlog       disable use of lastlog even if detected no
      --disable-utmp          disable use of utmp even if detected no
      --disable-utmpx         disable use of utmpx even if detected no
      --disable-wtmp          disable use of wtmp even if detected no
      --disable-wtmpx         disable use of wtmpx even if detected no
      --disable-libutil       disable use of libutil (login() etc.) no
      --disable-pututline     disable use of pututline() etc. (uwtmp) no
      --disable-pututxline    disable use of pututxline() etc. (uwtmpx) no
    
    Optional Packages:
      --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
      --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
      --without-rpath         Disable auto-added -R linker paths
      --with-osfsia           Enable Digital Unix SIA
      --with-cflags           Specify additional flags to pass to compiler
      --with-cppflags         Specify additional flags to pass to preprocessor
      --with-ldflags          Specify additional flags to pass to linker
      --with-libs             Specify additional libraries to link with
      --with-Werror           Build main code with -Werror
      --with-zlib=PATH        Use zlib in PATH
      --without-zlib-version-check Disable zlib version check
      --with-skey[=PATH]      Enable S/Key support (optionally in PATH)
      --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
      --with-libedit[=PATH]   Enable libedit support for sftp
      --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
     [B] --with-pam              Enable PAM support[/B]
      --with-ssl-dir=PATH     Specify path to OpenSSL installation
      --with-rand-helper      Use subprocess to gather strong randomness
      --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT
      --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var                                                                             /run/egd-pool)
      --with-entropy-timeout  Specify entropy gathering command timeout (msec)
      --with-privsep-user=user Specify non-privileged user for privilege separation
      --with-sectok           Enable smartcard support using libsectok
    --with-opensc[=PFX]       Enable smartcard support using OpenSC (optionally in P                                                                             ATH)
      --with-kerberos5=PATH   Enable Kerberos 5 support
      --with-privsep-path=xxx Path for privilege separation chroot (default=/var/emp                                                                             ty)
      --with-xauth=PATH       Specify path to xauth program
      --with-mantype=man|cat|doc  Set man page type
      --with-md5-passwords    Enable use of MD5 passwords
      --without-shadow        Disable shadow password support
      --with-ipaddr-display   Use ip address instead of hostname in \$DISPLAY
      --with-default-path=    Specify default \$PATH environment for server
      --with-superuser-path=  Specify different path for super-user
      --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses
      --with-bsd-auth         Enable BSD auth support
      --with-pid-dir=PATH     Specify location of ssh.pid file
      --with-lastlog=FILE|DIR specify lastlog location common locations
    
    Some influential environment variables:
      CC          C compiler command
      CFLAGS      C compiler flags
      LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
                  nonstandard directory <lib dir>
      CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
                  headers in a nonstandard directory <include dir>
      CPP         C preprocessor
    
    Use these variables to override the choices made by `configure' or to help
    it to find libraries and programs with nonstandard names/locations.
    
    Report bugs to <openssh-unix-dev@mindrot.org>.
    
     
  20. falko

    falko Super Moderator

    If you find an RPM, you can try that one. Otherwise you must compile the sources,

    Well, there are a lot of parameters to play with... ;)
     

Share This Page