Chrooted SSH

Discussion in 'Server Operation' started by kafmil, Jun 14, 2012.

  1. kafmil

    kafmil New Member

    I have followed the instructions here, (and many many others) but can't seem to get this working. As soon as I add
    Match User sshuser
           ChrootDirectory /chrootdir
           X11Forwarding no
           AllowTcpForwarding no
    I get the errors below when I try to SSH in. I am running Centos 6. make_chroot_jail says I am missing a couple of libraries, but from what I have read they are 32bit, I am running 64. I just can't find anything useful on these errors.
    sshd[22]: Accepted password for sshuser from 123.456.789.012 port 1234 ssh2
    sshd[22]: pam_unix(sshd:session): session opened for user sshuser by (uid=0)
    sshd[22]: User child is on pid 27
    sshd[27]: Changed root directory to "/chrootdir"
    sshd[27]: error: mm_receive_fd: no message header
    sshd[27]: fatal: mm_pty_allocate: receive fds failed
    sshd[27]: error: buffer_get_ret: trying to get more bytes 1 than in buffer 0
    sshd[27]: error: buffer_get_char_ret: buffer_get_ret failed
    sshd[27]: fatal: buffer_get_char: buffer error
    sshd[22]: fatal: mm_request_receive: read: Connection reset by peer
    sshd[22]: pam_unix(sshd:session): session closed for user sshuser
    Any ideas out there?
  2. falko

    falko Super Moderator ISPConfig Developer

    What's your OpenSSH version? AFAIR you need a version newer than 4.8.

    Is this a physical server or a virtual machine? If it's a virtual machine, you might have to increase RAM a bit.

    Another guess: is SELinux active?
  3. kafmil

    kafmil New Member

    SE Linux

    Looks like SE Linux is the culprit, thanks. For some reason though, I get
    su: user root does not exist
    when I try to su to the root account. Root is there in the passwd and shadow file, so it should work.

    I am also having a lot of hassles getting SELinux to let me through, I am not turning SELinux off, sshd access must be configurable somehow. I will post back here if I figure it out.

Share This Page